The best of both worlds “using mac filtering in pf”

Kristof Provost kp at FreeBSD.org
Fri Jul 10 20:26:41 UTC 2020 

On 10 Jul 2020, at 19:57, l.m.v.breda at xs4all.nl wrote:
> Hello,
>
> I am using pfSense, build on top of pf. And of course pfSense/pf is a 
> terrific firewall, however the world is changing in the direction of 
> IPV6 and that leads to new issues and related new requirements.
>
> One of the major issues is that IPV6 does not provide a stable source 
> address you can use to filter in your firewall.
>
> Many firewalls “out there” are *using the level-2 mac as a way 
> around this issue*. � However ….. pfSense cannot provide that 
> functionality, since it is built on top of …… pf.
>
> Tja, and then there is a “striking” issue ….. suppose that 
> pfSense would have been built on top of OpenBSD, still using pf 
> ………. That had been possible …….
>
> So as user I would be very pleased if there could be a joined 
> “pf-release” having *best of both worlds* !!!!
>
> Assume we were running OpenBSD …… things like � �
>
> step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag 
> <sometag>
> step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy 
> based rule)
>
> would have been an option, …. not saying it is the best option ….. 
>  �better option would be if pf could set the tag itself
>
> Whatever please consider adding this functionality to pf preferable on 
> short term, since IPV6 is fast becoming very important!
>
> Sincerely,
>
>>
> Louis
>
> PS … should I raise an feature request for this?
>
You can, but adding L2 filtering functionality to pf isn’t even on my 
long-term todo list. It is essentially out of the question that it’d 
be added in the short term (or even in the next year or two, unless 
someone decides it’s worth contracting me for several months to do 
it).

I don’t personally see the use case for it either, but perhaps I’m 
missing something. Can you explain what exactly you’d like to 
accomplish with L2 filtering?

(It’s already possible to use pf on top of a bridge in 
bump-in-the-wire mode. Given the gotchas in that code I **strongly** 
recommend people don’t use that functionality.)

Best regards,
Kristof

More information about the freebsd-pf mailing list