how to reject all mac addresses except some mac addresses using ipfw?

Ian Smith smithi at nimnet.asn.au
Wed Jun 25 18:55:20 UTC 2008 

On Tue, 24 Jun 2008 12:23:48 -0700 Chris St Denis <chris at smartt.com> wrote:
 > Yavuz Maslak wrote:
 > > I use ipfw on freebsd7.
 > >
 > > I have two questions
 > >
 > > 1- I want to fix an ip address for each mac address. But some pc
 > > and servers have more than an ip address. How can I map multiple ip
 > > addresses for a mac address? 
 > > 2- I want to allow these fixed mac addresses using ipfw. After that
 > > I want to deny all mac address via the server's local ethernet card. 
 > > How can I do these cases? 

 > I haven't used ipfw for mac level filtering before, but it looks like 
 > the syntax is.
 > 
 > ipfw add allow MAC <mac address> any
 > ipfw add allow MAC <mac address> any
 > ipfw add allow MAC <mac address> any
 > ipfw add deny MAC any any
 > 
 > You'll probably have to include the server's own MAC in that list.

Firstly, a similar caveat; I haven't actually used this myself yet, but
scanning ipfw(8) for 'mac|MAC' reveals that it's not quite so simple.

You need to separate layer2 packets that have an associated MAC address,
from layer3 packets, that don't.  To filter layer2 packets you need to
set sysctl net.link.ether.ipfw=1 'Controls whether layer-2 packets are
passed to ipfw. Default is no (0)'  With this set, ipfw will be invoked
twice on each incoming packet, and twice on each outgoing one.

Testing here just on the input path, perhaps .. see ipfw(8):

# packets from ether_demux or bdg_forward
ipfw add 10 skipto 1000 all from any to any layer2 in recv $some_if
# packets from ip_input (layer 3)
ipfw add 10 skipto 2000 all from any to any not layer2 in recv $some_if
[.. see ipfw(8) example ..]

# incoming packets from ether_demux, having a mac address, on $some_if
# first example re Q1, two IP addresses having the same MAC (aliases?)
ipaddr1='192.168.0.30'
ipaddr2='192.168.0.31'		# or could use a list, or a table ..
srcmac1='de:ad:be:ef:c0:de'
ipaddr3='192.168.0.50'
srcmac3='de:af:fe:ca:dd:ed'
[..]
ipfw add 1000 skipto 1500 all from $ipaddr1 to any MAC any $srcmac1
ipfw add 1001 skipto 1500 all from $ipaddr2 to any MAC any $srcmac1
# another box
ipfw add 1010 skipto 1500 all from $ipaddr3 to any MAC any $srcmac3
[..]
ipfw add 1490 deny log all from any to any	# unknown MAC/IP pairs
ipfw add 1500 allow all from any to any	  # proceed to layer 3 pass ..
[..]
ipfw add 2000 [.. layer 3 filtering as per usual ..]

Note that MAC addresses are specified dst-mac first, then src-mac, and
that you will also need to allow, if not check, outgoing layer2 pkts.

Completely untested: may contain syntax errors, traces of nuts, etc.

cheers, Ian

More information about the freebsd-questions mailing list