IPFW Firewall Rule

Ian Smith smithi at nimnet.asn.au
Fri Apr 1 17:39:58 UTC 2016


In freebsd-questions Digest, Vol 617, Issue 6, Message: 7
On Fri, 1 Apr 2016 06:26:34 -0400 Carmel <carmel_ny at outlook.com> wrote:

 > I have two laptops that I use when I travel. I need them to have access
 > to my LDAP server. I tried configuring this in my IPFW firewall rules,
 > but they fail:
 > 
 > #!/bin/sh
 > cmd="ipfw -q add"
 > pif="em0"
 > 
 > ## Lots of rules - truncated
 > 
 > $cmd allow log tcp from any MAC "0C:54:A5:04:BA:DD" to me 389 in via $pif setup keep-state
 > $cmd allow log tcp from any MAC "00:1A:A0:89:CA:EA" to me 389 in via $pif setup keep-state
 > 
 > This is the error message repeated twice:
 > 
 > ipfw: missing ``to''
 > 
 > If I substitute an IP address and remove the "any MAC "address" it works
 > fine. I got this example from a web search. Can anyone tell me what I
 > am doing wrong?

There are a few issues with this.

1) MAC addresses can only be examined on ethernet packets, at layer2, 
which requires that sysctl net.link.ether.ipfw be set to 1, adding 
another two passes to ipfw's examination of packets.  See section PACKET 
FLOW in ipfw(8) for an explanation of how this works and an example set 
of rules to separate layer2 (ethernet) flows from layer3 (IP) flows.

Search ipfw(8) for 'layer-*2' - assuming viewing in less(1) - to catch 
both 'layer2' and 'layer-2' references, which is mildly tacky.

2) the order of 'to' and 'from' addresses is reversed at layer2, so the 
syntax should be more like 'MAC any "0C:54:A5:04:BA:DD" if I read your 
intent right.  See section RULE OPTIONS '{ MAC | mac } dst-mac src-mac'

3) I don't think you can match statefully at layer2, but may be wrong.

4) most relevant to your stated purpose, MAC addresses are only used on 
local networks (wired or wireless) and are not transmitted over the IP
internet, so you can't use this method remotely - except perhaps via a 
VPN tunnel, appearing as a local network, but I'm not sure about that.

5) MAC addresses, even locally, are easy to spoof and while useful are 
not a security measure per se.  I think you need to find another method 
to identify and authenticate remote callers to LDAP.  I know very close 
to nothing about that, except that there are LDAP-savvy people here ..

cheers, Ian


More information about the freebsd-questions mailing list