Re: how to reject all mac addresses except some mac addresses using ipfw?
On Tue, 24 Jun 2008 12:23:48 -0700 Chris St Denis [EMAIL PROTECTED] wrote: Yavuz Maslak wrote: I use ipfw on freebsd7. I have two questions 1- I want to fix an ip address for each mac address. But some pc and servers have more than an ip address. How can I map multiple ip addresses for a mac address? 2- I want to allow these fixed mac addresses using ipfw. After that I want to deny all mac address via the server's local ethernet card. How can I do these cases? I haven't used ipfw for mac level filtering before, but it looks like the syntax is. ipfw add allow MAC mac address any ipfw add allow MAC mac address any ipfw add allow MAC mac address any ipfw add deny MAC any any You'll probably have to include the server's own MAC in that list. Firstly, a similar caveat; I haven't actually used this myself yet, but scanning ipfw(8) for 'mac|MAC' reveals that it's not quite so simple. You need to separate layer2 packets that have an associated MAC address, from layer3 packets, that don't. To filter layer2 packets you need to set sysctl net.link.ether.ipfw=1 'Controls whether layer-2 packets are passed to ipfw. Default is no (0)' With this set, ipfw will be invoked twice on each incoming packet, and twice on each outgoing one. Testing here just on the input path, perhaps .. see ipfw(8): # packets from ether_demux or bdg_forward ipfw add 10 skipto 1000 all from any to any layer2 in recv $some_if # packets from ip_input (layer 3) ipfw add 10 skipto 2000 all from any to any not layer2 in recv $some_if [.. see ipfw(8) example ..] # incoming packets from ether_demux, having a mac address, on $some_if # first example re Q1, two IP addresses having the same MAC (aliases?) ipaddr1='192.168.0.30' ipaddr2='192.168.0.31' # or could use a list, or a table .. srcmac1='de:ad:be:ef:c0:de' ipaddr3='192.168.0.50' srcmac3='de:af:fe:ca:dd:ed' [..] ipfw add 1000 skipto 1500 all from $ipaddr1 to any MAC any $srcmac1 ipfw add 1001 skipto 1500 all from $ipaddr2 to any MAC any $srcmac1 # another box ipfw add 1010 skipto 1500 all from $ipaddr3 to any MAC any $srcmac3 [..] ipfw add 1490 deny log all from any to any # unknown MAC/IP pairs ipfw add 1500 allow all from any to any # proceed to layer 3 pass .. [..] ipfw add 2000 [.. layer 3 filtering as per usual ..] Note that MAC addresses are specified dst-mac first, then src-mac, and that you will also need to allow, if not check, outgoing layer2 pkts. Completely untested: may contain syntax errors, traces of nuts, etc. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
how to reject all mac addresses except some mac addresses using ipfw?
I use ipfw on freebsd7. I have two questions 1- I want to fix an ip address for each mac address. But some pc and servers have more than an ip address. How can I map multiple ip addresses for a mac address? 2- I want to allow these fixed mac addresses using ipfw. After that I want to deny all mac address via the server's local ethernet card. How can I do these cases? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to reject all mac addresses except some mac addresses using ipfw?
On Jun 24, 2008, at 10:26 AM, Yavuz Maslak wrote: 1- I want to fix an ip address for each mac address. But some pc and servers have more than an ip address. How can I map multiple ip addresses for a mac address? Most people use ifconfig, perhaps indirectly via /etc/rc.conf. 2- I want to allow these fixed mac addresses using ipfw. After that I want to deny all mac address via the server's local ethernet card. How can I do these cases? Few choose to go that route, but you can disable ARP and set up /etc/ ethers, or you could even fire up your favorite firewall (IPFW, PF, whatever), and add allow rules for the permitted MAC addresses, and deny all others. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to reject all mac addresses except some mac addresses using ipfw?
[ ...please don't top-post... ] On Jun 24, 2008, at 11:42 AM, Yavuz Maslak wrote: But I should have asked different my first question. I have meant that how can I restrict to use an ip address which I already assigned to a computer, anyone can use at his pc? There is nothing which can prevent someone from configuring a machine to use any IP address they want to set, assuming they have admin access to that machine. Normally, you don't grant physical access to your network for people you don't trust, but if you need to provide network access to untrustworthy systems, then you need to look into setting up access control via VLANs, or maybe PPPoE, or something similar where you can isolate their network and only let their traffic talk to other things if they connect properly... Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to reject all mac addresses except some mac addresses using ipfw?
would you have a working example on how to deny traffic from a mac address if it is not using a allowed ip address.. I would like to use pf On 6/24/08, Chuck Swiger [EMAIL PROTECTED] wrote: On Jun 24, 2008, at 10:26 AM, Yavuz Maslak wrote: 1- I want to fix an ip address for each mac address. But some pc and servers have more than an ip address. How can I map multiple ip addresses for a mac address? Most people use ifconfig, perhaps indirectly via /etc/rc.conf. 2- I want to allow these fixed mac addresses using ipfw. After that I want to deny all mac address via the server's local ethernet card. How can I do these cases? Few choose to go that route, but you can disable ARP and set up /etc/ ethers, or you could even fire up your favorite firewall (IPFW, PF, whatever), and add allow rules for the permitted MAC addresses, and deny all others. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: how to reject all mac addresses except some mac addresses using ipfw?
Yavuz Maslak wrote: I use ipfw on freebsd7. I have two questions 1- I want to fix an ip address for each mac address. But some pc and servers have more than an ip address. How can I map multiple ip addresses for a mac address? 2- I want to allow these fixed mac addresses using ipfw. After that I want to deny all mac address via the server's local ethernet card. How can I do these cases? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I haven't used ipfw for mac level filtering before, but it looks like the syntax is. ipfw add allow MAC mac address any ipfw add allow MAC mac address any ipfw add allow MAC mac address any ipfw add deny MAC any any You'll probably have to include the server's own MAC in that list. -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200 --- Smart Internet Solutions For Businesses ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
