IPFW Firewall Rule
Ian Smith
smithi at nimnet.asn.au
Fri Apr 1 17:39:58 UTC 2016
In freebsd-questions Digest, Vol 617, Issue 6, Message: 7
On Fri, 1 Apr 2016 06:26:34 -0400 Carmel <carmel_ny at outlook.com> wrote:
> I have two laptops that I use when I travel. I need them to have access
> to my LDAP server. I tried configuring this in my IPFW firewall rules,
> but they fail:
>
> #!/bin/sh
> cmd="ipfw -q add"
> pif="em0"
>
> ## Lots of rules - truncated
>
> $cmd allow log tcp from any MAC "0C:54:A5:04:BA:DD" to me 389 in via $pif setup keep-state
> $cmd allow log tcp from any MAC "00:1A:A0:89:CA:EA" to me 389 in via $pif setup keep-state
>
> This is the error message repeated twice:
>
> ipfw: missing ``to''
>
> If I substitute an IP address and remove the "any MAC "address" it works
> fine. I got this example from a web search. Can anyone tell me what I
> am doing wrong?
There are a few issues with this.
1) MAC addresses can only be examined on ethernet packets, at layer2,
which requires that sysctl net.link.ether.ipfw be set to 1, adding
another two passes to ipfw's examination of packets. See section PACKET
FLOW in ipfw(8) for an explanation of how this works and an example set
of rules to separate layer2 (ethernet) flows from layer3 (IP) flows.
Search ipfw(8) for 'layer-*2' - assuming viewing in less(1) - to catch
both 'layer2' and 'layer-2' references, which is mildly tacky.
2) the order of 'to' and 'from' addresses is reversed at layer2, so the
syntax should be more like 'MAC any "0C:54:A5:04:BA:DD" if I read your
intent right. See section RULE OPTIONS '{ MAC | mac } dst-mac src-mac'
3) I don't think you can match statefully at layer2, but may be wrong.
4) most relevant to your stated purpose, MAC addresses are only used on
local networks (wired or wireless) and are not transmitted over the IP
internet, so you can't use this method remotely - except perhaps via a
VPN tunnel, appearing as a local network, but I'm not sure about that.
5) MAC addresses, even locally, are easy to spoof and while useful are
not a security measure per se. I think you need to find another method
to identify and authenticate remote callers to LDAP. I know very close
to nothing about that, except that there are LDAP-savvy people here ..
cheers, Ian
More information about the freebsd-questions
mailing list