Re: Anyway to ipfw filter based on MAC address?
On Mon, Aug 28, 2000 at 11:31:06PM -0400, Bill Fumerola wrote: On Mon, Aug 28, 2000 at 07:02:03PM -0700, Jaye Mathisen wrote: Just exactly what I said in the Subject. I want to filter on the ethernet MAC address. I guess the "ip" in "ipfw" just wasn't obvious enough that it is an IP firewall tool. You're one layer too low. We already have filter rules to check if a packet would get bridged. And none IP protocols like IPX get bridged depending on the default rule of ipfw. I don't think that ipfw stand for ip only anymore. But I'm not shure if we still have the MAC address at this layer. Unfortunately we can't use a fwd action for bridged packets ;( Anyone with a good idea how to get missings parameters in the bridge code for calling the firewall check code. Is it OK to just get emtpy structures? If I understood it right the bridge checks only at incoming time and normaly fwd should be used for outgoing packets. Will this be any big problem? -- B.Walter COSMO-Project http://www.cosmo-project.de [EMAIL PROTECTED] Usergroup [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Anyway to ipfw filter based on MAC address?
On Mon, 28 Aug 2000, Jaye Mathisen wrote: I would love to be able to filter ipfw traffic based on more than just IP. Anybody done anything like this? You may want to check out the Ethfw (Ethernet Firewall) patches for FreeBSD at: http://spe.kakito.com/ --- Mike Wade ([EMAIL PROTECTED]) Chief Technical Officer CDC Internet, Inc. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Anyway to ipfw filter based on MAC address?
What else do you want to filter by? did you read man ipfw? it should tell you all about it. you can filter by uid, type of packets, source, origin, etc.. -Simon On Mon, 28 Aug 2000 18:03:58 -0700 (PDT), Jaye Mathisen wrote: I would love to be able to filter ipfw traffic based on more than just IP. Anybody done anything like this? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Anyway to ipfw filter based on MAC address?
Just exactly what I said in the Subject. I want to filter on the ethernet MAC address. My firewall works fine filtering on IP, now I want to make sure no new nodes come up. I guess I could play some games with arp, but just blocking MAC addresses would suffice. On Mon, 28 Aug 2000, Simon wrote: What else do you want to filter by? did you read man ipfw? it should tell you all about it. you can filter by uid, type of packets, source, origin, etc.. -Simon On Mon, 28 Aug 2000 18:03:58 -0700 (PDT), Jaye Mathisen wrote: I would love to be able to filter ipfw traffic based on more than just IP. Anybody done anything like this? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Anyway to ipfw filter based on MAC address?
Also, be able to filter packets based on TTL and SYN Seq value would be useful in some cases too -- quiet a few SYN flood programs had those values hard coded and script kids don't change them. On Mon, 28 Aug 2000, Jaye Mathisen wrote: Just exactly what I said in the Subject. I want to filter on the ethernet MAC address. My firewall works fine filtering on IP, now I want to make sure no new nodes come up. I guess I could play some games with arp, but just blocking MAC addresses would suffice. On Mon, 28 Aug 2000, Simon wrote: What else do you want to filter by? did you read man ipfw? it should tell you all about it. you can filter by uid, type of packets, source, origin, etc.. -Simon On Mon, 28 Aug 2000 18:03:58 -0700 (PDT), Jaye Mathisen wrote: I would love to be able to filter ipfw traffic based on more than just IP. Anybody done anything like this? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Anyway to ipfw filter based on MAC address?
On Mon, Aug 28, 2000 at 06:03:58PM -0700, Jaye Mathisen wrote: I would love to be able to filter ipfw traffic based on more than just IP. Anybody done anything like this? How about turning off arp on the network interface, (ifconfig), and using static arp? -- Robert Sexton - [EMAIL PROTECTED], Cincinnati OH, USA Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Anyway to ipfw filter based on MAC address?
On Mon, Aug 28, 2000 at 07:02:03PM -0700, Jaye Mathisen wrote: Just exactly what I said in the Subject. I want to filter on the ethernet MAC address. I guess the "ip" in "ipfw" just wasn't obvious enough that it is an IP firewall tool. You're one layer too low. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. [EMAIL PROTECTED] / [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Anyway to ipfw filter based on MAC address?
I can appreciate the sarcasm... However, given today's generally IP-only connected networks, ipfw does not seem to be a necessarily bad place to do this kind of filtering... I only mention it because dummynet could be useful bandwidth limiting to MAC addresses as well. And it never hurts to ask to see if somebody else has hacked it in, even if the command name isn't exactly descriptive... On Mon, 28 Aug 2000, Bill Fumerola wrote: On Mon, Aug 28, 2000 at 07:02:03PM -0700, Jaye Mathisen wrote: Just exactly what I said in the Subject. I want to filter on the ethernet MAC address. I guess the "ip" in "ipfw" just wasn't obvious enough that it is an IP firewall tool. You're one layer too low. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Anyway to ipfw filter based on MAC address?
On Mon, 28 Aug 2000, Jaye Mathisen wrote: I would love to be able to filter ipfw traffic based on more than just IP. Anybody done anything like this? The OpenBSD bridge filtering code can do this, allowing you to map MAC addresses to specific interfaces, and prevent spoofing, among other things. There's been some talk of restructuring (possibly rewriting) the bridge/filtering code in FreeBSD, and Archie Cobbs has suggested that NetGraph would be a good way to do this. Arbitrary packet filtering would be fairly possible in such an environment, but we don't currently have an implementation that does that. Hopefully in a few months, we'll be able to claim otherwise. Sorry about that! Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message