Re: how to allow by MAC
On Wed, Jun 13, 2012 at 4:56 PM, Ian Smith smi...@nimnet.asn.au wrote: On Mon, 11 Jun 2012 15:18:18 -0700, Randal L. Schwartz wrote: Bill == Bill Yuan byc...@gmail.com writes: Bill I want to create a white list MAC address, Only the machine which it's MAC Bill in the white list will be allowed, all others will be blocked. Bad idea. Since (a) every MAC address that *is* allowed is transmitted in the clear and (b) it's trivial to spoof a MAC address. This. is. no. security. Indeed, that's right Randal. But I got the impression from Bill's mails that this is more likely just something inside his internal network. Filtering by MAC is not secure, I agree. but at least secure enough for a internal network. And I am quite sure what I want to archive. I am really want to know how to FILTER BY MAC . Please stop even trying. Well I don't think learning how to use ipfw properly at layer2 is a bad idea in itself, and I wouldn't want to discourage anyone from that. For some years I ran a filtering transparent bridge with ipfw + dummynet for a small network of about 20 mostly W98, XP and Mac boxes sharing one slow ADSL gateway between various assorted community groups (talk about herding cats! :) and MAC filtering was one of the handiest tools when some box or other got owned (again!) by some virus and started spewing spam, provider complains and/or cuts access .. you know the deal. In that sort of environment, none of the punters had any clue about forging MACs or anything vaguely like that, and it stopped people randomly plugging boxes into the network. Horses for courses. I replied in more detail to another from Bill privately, copy follows. Thanks. I saw your email already .very helpful . I will continue to try in that way . and share with all here in the feature.:) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
On Mon, 11 Jun 2012 15:18:18 -0700, Randal L. Schwartz wrote: Bill == Bill Yuan byc...@gmail.com writes: Bill I want to create a white list MAC address, Only the machine which it's MAC Bill in the white list will be allowed, all others will be blocked. Bad idea. Since (a) every MAC address that *is* allowed is transmitted in the clear and (b) it's trivial to spoof a MAC address. This. is. no. security. Indeed, that's right Randal. But I got the impression from Bill's mails that this is more likely just something inside his internal network. Please stop even trying. Well I don't think learning how to use ipfw properly at layer2 is a bad idea in itself, and I wouldn't want to discourage anyone from that. For some years I ran a filtering transparent bridge with ipfw + dummynet for a small network of about 20 mostly W98, XP and Mac boxes sharing one slow ADSL gateway between various assorted community groups (talk about herding cats! :) and MAC filtering was one of the handiest tools when some box or other got owned (again!) by some virus and started spewing spam, provider complains and/or cuts access .. you know the deal. In that sort of environment, none of the punters had any clue about forging MACs or anything vaguely like that, and it stopped people randomly plugging boxes into the network. Horses for courses. I replied in more detail to another from Bill privately, copy follows. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
Bill == Bill Yuan byc...@gmail.com writes: Bill I want to create a white list MAC address, Only the machine which it's MAC Bill in the white list will be allowed, all others will be blocked. Bad idea. Since (a) every MAC address that *is* allowed is transmitted in the clear and (b) it's trivial to spoof a MAC address. This. is. no. security. Please stop even trying. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
come on , someone help please, On Sun, Jun 10, 2012 at 5:43 PM, Bill Yuan byc...@gmail.com wrote: Hi, how to allow by MAC in ipfw currently i set the rule like below 1 allow ip from any to any MAC any to MAC Address 1 1 allow ip from any to any MAC MAC Address 1 any 2 deny all from any to any i want to only allow the mac address to go through the freebsd firewall, but I found it is not working on my freebsd but it works on pfsense! so maybe that means the environment is not the same ? and how to setup the ipfw properly to support this ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
Hi, Reference: From: Bill Yuan byc...@gmail.com Date: Sun, 10 Jun 2012 21:09:01 +0800 Message-id: CAC+JH2ySQVCSXY+3Grh+Qe=li3wzsyu8czq3sa1w3azgpjp...@mail.gmail.com Bill Yuan wrote: come on , someone help please, On Sun, Jun 10, 2012 at 5:43 PM, Bill Yuan byc...@gmail.com wrote: Hi, how to allow by MAC in ipfw currently i set the rule like below 1 allow ip from any to any MAC any to MAC Address 1 1 allow ip from any to any MAC MAC Address 1 any 2 deny all from any to any i want to only allow the mac address to go through the freebsd firewall, but I found it is not working on my freebsd but it works on pfsense! so maybe that means the environment is not the same ? and how to setup the ipfw properly to support this ? Maybe others ignored it for the same reason I did: blocking by MAC number seems weird of no interest, I block pass by IP net number. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, indent with . Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
Julian H. Stacey wrote: Bill Yuan wrote: come on , someone help please, On Sun, Jun 10, 2012 at 5:43 PM, Bill Yuan byc...@gmail.com wrote: Hi, how to allow by MAC in ipfw currently i set the rule like below 1 allow ip from any to any MAC any to MAC Address 1 1 allow ip from any to any MAC MAC Address 1 any 2 deny all from any to any i want to only allow the mac address to go through the freebsd firewall, but I found it is not working on my freebsd but it works on pfsense! so maybe that means the environment is not the same ? and how to setup the ipfw properly to support this ? Maybe others ignored it for the same reason I did: blocking by MAC number seems weird of no interest, I block pass by IP net number. as shown by ifconfig MAC : 6 byte IP : 4 byte (IPV4) Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, indent with . Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan byc...@gmail.com wrote: how to allow by MAC in ipfw currently i set the rule like below 1 allow ip from any to any MAC any to MAC Address 1 1 allow ip from any to any MAC MAC Address 1 any 2 deny all from any to any i want to only allow the mac address to go through the freebsd firewall, but I found it is not working on my freebsd but it works on pfsense! so maybe that means the environment is not the same ? and how to setup the ipfw properly to support this ? Bill, you did get some good clues in the earlier thread, but it's not clear if you took note of them. There's also been some confusion .. Firstly, read up on layer2 (ethernet, MAC-level) filtering options in ipfw(8). Thoroughly, several times, until you've got it. Seriously. After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) ipfw will be invoked 4 times instead of the normal 2, on every packet. Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the inbound pass invoked from ether_demux() and the outbound pass invoked from ether_output_frame() can you test for MAC addresses (or mac-types); the 'normal' layer3 passes examine packets that have no layer2 headers. You could just add 'layer2' to any rules filtering on MAC addresses, and omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using a method like shown there to separate layer2 and layer3 flows early on: # packets from ether_demux ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in # packets from ip_output ipfw add 10 skipto 3000 all from any to any not layer2 out # packets from ether_output_frame ipfw add 10 skipto 4000 all from any to any layer2 out So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering rules (remembering the reversed order of MAC addresses vs IP addresses, and to allow broadcasts as well), pass good guys and/or block bad guys, then deal with your normal IPv4|v6 traffic in a separate section(s). Or you could just split the flows into two streams, one for layer2 for your MAC filtering, the other for layer3, ie the rest of your ruleset. HTH, Ian [please cc me on any reply] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
Hi Lan, Thanks for your reply, I am reading some old emails which you sent in 2008 while other place asked a same question as mine, On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith smi...@nimnet.asn.au wrote: In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan byc...@gmail.com wrote: how to allow by MAC in ipfw currently i set the rule like below 1 allow ip from any to any MAC any to MAC Address 1 1 allow ip from any to any MAC MAC Address 1 any 2 deny all from any to any i want to only allow the mac address to go through the freebsd firewall, but I found it is not working on my freebsd but it works on pfsense! so maybe that means the environment is not the same ? and how to setup the ipfw properly to support this ? Bill, you did get some good clues in the earlier thread, but it's not clear if you took note of them. There's also been some confusion .. Firstly, read up on layer2 (ethernet, MAC-level) filtering options in ipfw(8). Thoroughly, several times, until you've got it. Seriously. After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) ipfw will be invoked 4 times instead of the normal 2, on every packet. Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the inbound pass invoked from ether_demux() and the outbound pass invoked from ether_output_frame() can you test for MAC addresses (or mac-types); the 'normal' layer3 passes examine packets that have no layer2 headers. You could just add 'layer2' to any rules filtering on MAC addresses, and omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using a method like shown there to separate layer2 and layer3 flows early on: # packets from ether_demux ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in # packets from ip_output ipfw add 10 skipto 3000 all from any to any not layer2 out # packets from ether_output_frame ipfw add 10 skipto 4000 all from any to any layer2 out So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering rules (remembering the reversed order of MAC addresses vs IP addresses, and to allow broadcasts as well), pass good guys and/or block bad guys, then deal with your normal IPv4|v6 traffic in a separate section(s). Or you could just split the flows into two streams, one for layer2 for your MAC filtering, the other for layer3, ie the rest of your ruleset. HTH, Ian [please cc me on any reply] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
forget to po the link here http://lists.freebsd.org/pipermail/freebsd-questions/2008-June/177636.html On Mon, Jun 11, 2012 at 11:16 AM, Bill Yuan byc...@gmail.com wrote: Hi Lan, Thanks for your reply, I am reading some old emails which you sent in 2008 while other place asked a same question as mine, On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith smi...@nimnet.asn.au wrote: In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan byc...@gmail.com wrote: how to allow by MAC in ipfw currently i set the rule like below 1 allow ip from any to any MAC any to MAC Address 1 1 allow ip from any to any MAC MAC Address 1 any 2 deny all from any to any i want to only allow the mac address to go through the freebsd firewall, but I found it is not working on my freebsd but it works on pfsense! so maybe that means the environment is not the same ? and how to setup the ipfw properly to support this ? Bill, you did get some good clues in the earlier thread, but it's not clear if you took note of them. There's also been some confusion .. Firstly, read up on layer2 (ethernet, MAC-level) filtering options in ipfw(8). Thoroughly, several times, until you've got it. Seriously. After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) ipfw will be invoked 4 times instead of the normal 2, on every packet. Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the inbound pass invoked from ether_demux() and the outbound pass invoked from ether_output_frame() can you test for MAC addresses (or mac-types); the 'normal' layer3 passes examine packets that have no layer2 headers. You could just add 'layer2' to any rules filtering on MAC addresses, and omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using a method like shown there to separate layer2 and layer3 flows early on: # packets from ether_demux ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in # packets from ip_output ipfw add 10 skipto 3000 all from any to any not layer2 out # packets from ether_output_frame ipfw add 10 skipto 4000 all from any to any layer2 out So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering rules (remembering the reversed order of MAC addresses vs IP addresses, and to allow broadcasts as well), pass good guys and/or block bad guys, then deal with your normal IPv4|v6 traffic in a separate section(s). Or you could just split the flows into two streams, one for layer2 for your MAC filtering, the other for layer3, ie the rest of your ruleset. HTH, Ian [please cc me on any reply] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
I would ask what problem do you want to solve here; is it preventing a userjust from getting out unless they are using their assigned address, or something else? On Jun 10, 2012 8:16 PM, Bill Yuan byc...@gmail.com wrote: Hi Lan, Thanks for your reply, I am reading some old emails which you sent in 2008 while other place asked a same question as mine, On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith smi...@nimnet.asn.au wrote: In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan byc...@gmail.com wrote: how to allow by MAC in ipfw currently i set the rule like below 1 allow ip from any to any MAC any to MAC Address 1 1 allow ip from any to any MAC MAC Address 1 any 2 deny all from any to any i want to only allow the mac address to go through the freebsd firewall, but I found it is not working on my freebsd but it works on pfsense! so maybe that means the environment is not the same ? and how to setup the ipfw properly to support this ? Bill, you did get some good clues in the earlier thread, but it's not clear if you took note of them. There's also been some confusion .. Firstly, read up on layer2 (ethernet, MAC-level) filtering options in ipfw(8). Thoroughly, several times, until you've got it. Seriously. After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) ipfw will be invoked 4 times instead of the normal 2, on every packet. Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the inbound pass invoked from ether_demux() and the outbound pass invoked from ether_output_frame() can you test for MAC addresses (or mac-types); the 'normal' layer3 passes examine packets that have no layer2 headers. You could just add 'layer2' to any rules filtering on MAC addresses, and omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using a method like shown there to separate layer2 and layer3 flows early on: # packets from ether_demux ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in # packets from ip_output ipfw add 10 skipto 3000 all from any to any not layer2 out # packets from ether_output_frame ipfw add 10 skipto 4000 all from any to any layer2 out So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering rules (remembering the reversed order of MAC addresses vs IP addresses, and to allow broadcasts as well), pass good guys and/or block bad guys, then deal with your normal IPv4|v6 traffic in a separate section(s). Or you could just split the flows into two streams, one for layer2 for your MAC filtering, the other for layer3, ie the rest of your ruleset. HTH, Ian [please cc me on any reply] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: how to allow by MAC
Hi Brian, Thanks for your care, Execute me for my English is not that good , I am from Singapore :) I want to create a white list MAC address, Only the machine which it's MAC in the white list will be allowed, all others will be blocked. Thanks On Mon, Jun 11, 2012 at 11:21 AM, Brian W. br...@brianwhalen.net wrote: I would ask what problem do you want to solve here; is it preventing a userjust from getting out unless they are using their assigned address, or something else? On Jun 10, 2012 8:16 PM, Bill Yuan byc...@gmail.com wrote: Hi Lan, Thanks for your reply, I am reading some old emails which you sent in 2008 while other place asked a same question as mine, On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith smi...@nimnet.asn.au wrote: In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan byc...@gmail.com wrote: how to allow by MAC in ipfw currently i set the rule like below 1 allow ip from any to any MAC any to MAC Address 1 1 allow ip from any to any MAC MAC Address 1 any 2 deny all from any to any i want to only allow the mac address to go through the freebsd firewall, but I found it is not working on my freebsd but it works on pfsense! so maybe that means the environment is not the same ? and how to setup the ipfw properly to support this ? Bill, you did get some good clues in the earlier thread, but it's not clear if you took note of them. There's also been some confusion .. Firstly, read up on layer2 (ethernet, MAC-level) filtering options in ipfw(8). Thoroughly, several times, until you've got it. Seriously. After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) ipfw will be invoked 4 times instead of the normal 2, on every packet. Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the inbound pass invoked from ether_demux() and the outbound pass invoked from ether_output_frame() can you test for MAC addresses (or mac-types); the 'normal' layer3 passes examine packets that have no layer2 headers. You could just add 'layer2' to any rules filtering on MAC addresses, and omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using a method like shown there to separate layer2 and layer3 flows early on: # packets from ether_demux ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in # packets from ip_output ipfw add 10 skipto 3000 all from any to any not layer2 out # packets from ether_output_frame ipfw add 10 skipto 4000 all from any to any layer2 out So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering rules (remembering the reversed order of MAC addresses vs IP addresses, and to allow broadcasts as well), pass good guys and/or block bad guys, then deal with your normal IPv4|v6 traffic in a separate section(s). Or you could just split the flows into two streams, one for layer2 for your MAC filtering, the other for layer3, ie the rest of your ruleset. HTH, Ian [please cc me on any reply] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org