packet tagging

Jason Hellenthal jhellenthal at dataix.net
Fri May 10 04:19:47 UTC 2013 

As for 8-STABLE this functionality is not available.

I'm not tracking 9-* so someone else will have to answer for that.

But as far as L2 filtering on the bridge...

You will probably want ipfw instead as on 8-* were using pf4.3¿ which on FreeBSD is L3, & L4 filtering only.

If you are looking for a BSD solution for filtering only and your concern is mainly based on using pf, I will sadly say you should lean on OpenBSD unless something changes or you are willing to use access lists on your switches.

Now if your concern is mainly wireless the if_wlan interface is capable of its own l2 filtering but nothing like pf.

Good luck & best packeting,

-- 
 Jason Hellenthal
 IS&T Services Professional
 Inbox: jhellenthal at DataIX.net
 JJH48-ARIN


On May 9, 2013, at 11:54, Christophe <tech at stuxnet.org> wrote:

> Hi,
> 
> Nomad Esst wrote,
>> I want filter packets based on their MAC address. After many hours of googling I found out that such filtering is done via bridge. I just want to know are there any ways besides this??? I also found these patches which are to old an I could not apply them on my FBSD 8.2 ....
>> Any suggestions? I'm so disappointed ...
> 
> Never made such a config on FreeBSD but on OpenBSD :
> 
> A bridge (even with a single interface) is, as far as I know, mandatory to filter MAC based packets.
> 
> 
> A "rulefile" : /etc/l2filter like this :
> 
> ### WKS1 ########
> pass in on trunk0 src 00:1d:72:b0:b3:94 tag wks1lan
> 
> ### WKS2 ########
> pass in on trunk0 src 00:1d:72:b0:b3:91 tag wks2lan
> 
> ### WKS3 ########
> pass in on trunk0 src 08:00:27:50:fe:f4 tag wks3lan
> 
> ### WKS4 ########
> pass in on trunk0 src 08:00:27:03:7f:9b tag wks4lan
> 
> ### WKS5 ########
> pass in on trunk0 src 08:00:27:45:d3:27 tag wks5lan
> 
> ### WKS6 #########
> pass in on trunk0 src 00:1f:16:f0:dc:55 tag wks6lan
> 
> ...
> 
> 
> Bringing the rulefile on the bridge :
> 
> ifconfig bridge0 rulefile /etc/l2filter
> 
> 
> pf rule sample :
> 
> pass in quick on $int_if inet proto tcp from $lan_nets to ! <localnets_v4> port { www,  https } tagged wks4lan tag fromlan keep state
> 
> 
> 
> If modifications are made in /etc/l2filter (and trunk0 and re2 bridged themselves) :
> 
> ifconfig bridge0 flushrule re2
> ifconfig bridge0 flushrule trunk0
> ifconfig bridge0 rulefile /etc/l2filter
> 
> 
> 
> to disable :
> 
> ifconfig bridge0 flushrule re2
> ifconfig bridge0 flushrule trunk0
> ifconfig bridge0 rule pass in on re2
> ifconfig bridge0 rule pass in on trunk0
> 
> 
> 
> Remember it is an OpenBSD (native) configuration, I don't know if it applies on FreeBSD.
> 
> 
> Regards.
> Christophe.
> 
> 
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list