ipfw with nat - allowing by MAC address
Julian Elischer
julian at elischer.org
Mon Apr 23 05:38:37 UTC 2007
AT Matik wrote:
> On Sunday 22 April 2007 06:13, Lubomir Georgiev wrote:
>> As a side note - I had found "sysctl net.link.ether.ipfw=1" and it was
>> enabled during my endless futile attempts.
>> I believe that my problem lies in my rules but I can't figure out what's
>> wrong with them.... So someone please help.
>
> you do not read with attention ...
>
> on a router (natd) you do not have layer2 traffic, obviously then you can not
> analise it, even loading if_bridge makes no sense since there is no such
> traffic so you're wasting your time
>
> if you need to block MACs you need to do it on switch level or put a freebsd
> bridge between the stations and your natd gateway
you are incorrect.
The data will pass through the firewall as it enters and exits the system via
the ethernet interfaces. The trick is that it will also pass through the firewall
when it is routing in and out of the system at the IP level.
What I always do is something like:
ipfw add 10 skipto 1000 ip from any to any not layer2
# now we are only processing packets from the ethernet layer.
keep track of sessions with MAC addresses we don't want to NAT
ipfw add 100 skipto 3000 {mac spec} keep_state
[...]
# now we do layer 3 processing.
# divide up according to interface and direction.
ipfw add 100 skipto 1000 ip from any to any in recv ${inside_interface}
ipfw add 101 skipto 1100 ip from any to any out xmit ${inside_interface}
ipfw add 102 skipto 1200 ip from any to any in recv ${outside_interface}
ipfw add 103 skipto 1300 ip from any to any out xmit ${outside_interface}
# effectively we are not filtering anything else
ipfw add 104 accept ip from any to any
ipfw add 1000 allow ip from any to any
ipfw add 1100 allow ip from any to any
# Now the outside interface where NAT happens.
# first incoming packets are always sent to NAT of they are to us.
# unless the layer2 code exempted the session in question. They will go to 3000
ipfw add 1200 check-state
ipfw add 1201 divert natd ip from any to ${outside_address}
# The same number.. drop anything not diverted.
ipfw add 1201 drop ip from any to any
# nat/divert will reinject the packet here.
ipfw add 1202 accept ip from any to any
# now the outgoing packets.
ipfw add 1300 check-state
ifpw add 1301 accept ip from ${outside_address} to any
ipfw add 1302 divert natd ip from any to any.
# anything NATD allows through will be reinjected here.
ipfw add 1303 accept ip from any to any
# when the layer2 packets come here, just let them go on..
ipfw add 3000 accept ip from any to any layer2
# but when the layer 3 packets come here.. do something completely different.
[....]
>
> João
>
>
>
>
>
>
>
> A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura.
> Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list