packet tagging

[Christophe]

Hi,

Nomad Esst wrote,
> I want filter packets based on their MAC address. After many hours of googling I found out that such filtering is done via bridge. I just want to know are there any ways besides this??? I also found these patches which are to old an I could not apply them on my FBSD 8.2 ....
> Any suggestions? I'm so disappointed ...

Never made such a config on FreeBSD but on OpenBSD :

A bridge (even with a single interface) is, as far as I know, mandatory 
to filter MAC based packets.


A "rulefile" : /etc/l2filter like this :

### WKS1 ########
pass in on trunk0 src 00:1d:72:b0:b3:94 tag wks1lan

### WKS2 ########
pass in on trunk0 src 00:1d:72:b0:b3:91 tag wks2lan

### WKS3 ########
pass in on trunk0 src 08:00:27:50:fe:f4 tag wks3lan

### WKS4 ########
pass in on trunk0 src 08:00:27:03:7f:9b tag wks4lan

### WKS5 ########
pass in on trunk0 src 08:00:27:45:d3:27 tag wks5lan

### WKS6 #########
pass in on trunk0 src 00:1f:16:f0:dc:55 tag wks6lan

...


Bringing the rulefile on the bridge :

ifconfig bridge0 rulefile /etc/l2filter


pf rule sample :

pass in quick on $int_if inet proto tcp from $lan_nets to ! 
<localnets_v4> port { www,  https } tagged wks4lan tag fromlan keep state



If modifications are made in /etc/l2filter (and trunk0 and re2 bridged 
themselves) :

ifconfig bridge0 flushrule re2
ifconfig bridge0 flushrule trunk0
ifconfig bridge0 rulefile /etc/l2filter



to disable :

ifconfig bridge0 flushrule re2
ifconfig bridge0 flushrule trunk0
ifconfig bridge0 rule pass in on re2
ifconfig bridge0 rule pass in on trunk0



Remember it is an OpenBSD (native) configuration, I don't know if it 
applies on FreeBSD.


Regards.
Christophe.


> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"