Re: how to filter network by MAC and IP at the same time

2012-06-09 Thread Bill Yuan 
Thanks very much,
According to your description , I changed my firewall settings ,
(
Because I already tried add the "via em0" or "via em1",  it's not working,
so I remove it ,
my FreeBSD is WAN is em0  ,LAN is em1
)
and made it like this below

and I still cannot download things through it , and i found the result


Seems some place still not working properly , the traffic has been block by
some reason!





On Sat, Jun 9, 2012 at 5:12 PM, Christian Hiris <4...@chello.at> wrote:

> hi Bill,
> afaik, in your case the packets checked twice against the ipfw-rules - once
> for the layer2-filtering part and 2nd time for the ip-filtering part.
>
> 1st enable filtering on ethernet demux/eth. output frame:
> # sysctl net.link.ether.ipfw=1
>
> then start your fw-script:
>
> # -- sniplet from fw-script -- #
>  iif="em0"
>  ip_client="192.168.123.45"
>  ether_client="88:99:aa:bb:cc:dd"
>  ether_broadcast="ff:ff:ff:ff:ff:ff"
>
>  ${fwcmd} add 10 pass MAC ${ether_broadcast} ${ether_client} via ${iif}
>  ${fwcmd} add 20 pass MAC any ${ether_client} via ${iif}
>  ${fwcmd} add 21 pass MAC ${ether_client} any via ${iif}
>  ${fwcmd} add 30 pass ip from ${ip_client} to any via ${iif}
>  ${fwcmd} add 31 pass ip from any to ${ip_client} via ${iif}
> # -- sniplet from fw-script -- #
>
> this results in:
>
> # ipfw show
> 00010   128 allow ip from any to any MAC ff:ff:ff:ff:ff:ff \
>  88:99:aa:bb:cc:dd via em0
> 00020  74  9564 allow ip from any to any MAC any 88:99:aa:bb:cc:dd via em0
> 00021  87 85336 allow ip from any to any MAC 88:99:aa:bb:cc:dd any via em0
> 00030  74  9564 allow ip from 192.168.123.45 to any via em0
> 00031  86 85290 allow ip from any to 192.168.123.45 via em0
> 65535 487 35078 deny ip from any to any
>
> Most of this logic is described in the section "PACKET FLOW" section in man
> ipfw.
>
> "Note that as packets flow through the stack, headers can be stripped or
> added to it, and so they may or may not be available for inspection.
> E.g., incoming packets will include the MAC header when ipfw is invoked
> from ether_demux(), but the same packets will have the MAC header
> stripped off when ipfw is invoked from ip_input() or ip6_input()."
>
> Cheers
> ch
>
>
> On Saturday 09 June 2012, Bill Yuan wrote:
> > rule like below
> >
> > #allow the traffic which source mac is belong to the machine
> > ipfw add 1 allow all from any to any MAC  any
> > #allow the ..  destination mac is that machine
> > ipfw add 1 allow all from any to any MAC any 
> > ipfw add 1 deny all from any to any
> >
> >
> > it is not working , all the traffic will be block by the deny !!!  how
> come
> > ?
> >
> >
> >
> > On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert <
> >
> > freebsd-questions-lo...@be-well.ilk.org> wrote:
> > > Bill Yuan  writes:
> > > > i am using freebsd 9.0 as a firewall and i want to filter the traffic
> > > > by the mac and the ip at the same time,
> > > >
> > > > for example, i only allow my laptop  can go throught
> the
> > > > firewalll when it's using IP 
> > > >
> > > > for how to config the firewall rules?
> > > >
> > > >
> > > > I tried to configure the firewall by  the rule below , but it doesnt
> > > > work
> > > >
> > > >  ipfw add  1 allow all from  to any MAC 
> > > >  any ipfw add  1 allow all from any to   MAC any  > > >  Address
> > >
> > > 1>
> > >
> > > Well, for one thing if I understand your intent, you have the MAC
> > > addresses in the wrong order. Unless your firewall is acting as a
> > > bridge, you also need to keep in mind that the MAC addresses are
> changed
> > > when passing through, so those rules will only work on one side (i.e.,
> > > you'll need "in via" type rules).
> > >
> > > > but it doesnt work. also found the explanation on google, someone
> > > > already asked this question before.
> > >
> > > I don't understand. Was there a suggested approach or not?
> > >
> > > > but I did not find the solution for this requirement.  can someone
> tell
> > >
> > > me
> > >
> > > > how ? thanks in advance.
> > >
> > > I can't guarantee this will work, and I don't have any way to test it,
> > >
> > > but my above comments would suggest something more like:
> > > >  ipfw add  1 allow all from  to any MAC any  Address
> > >
> > > in via $iif
> > >
> > > >  ipfw add  1 allow all from any to   MAC  1>
> > >
> > > any out via $oif
> > >
> > > Good luck.
> >
> > ___
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscr...@freebsd.org"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: how to filter network by MAC and IP at the same time

2012-06-09 Thread Christian Hiris 
hi Bill,
afaik, in your case the packets checked twice against the ipfw-rules - once 
for the layer2-filtering part and 2nd time for the ip-filtering part.

1st enable filtering on ethernet demux/eth. output frame:
# sysctl net.link.ether.ipfw=1

then start your fw-script:

# -- sniplet from fw-script -- #
  iif="em0"
  ip_client="192.168.123.45"
  ether_client="88:99:aa:bb:cc:dd"
  ether_broadcast="ff:ff:ff:ff:ff:ff"

  ${fwcmd} add 10 pass MAC ${ether_broadcast} ${ether_client} via ${iif}
  ${fwcmd} add 20 pass MAC any ${ether_client} via ${iif}
  ${fwcmd} add 21 pass MAC ${ether_client} any via ${iif}
  ${fwcmd} add 30 pass ip from ${ip_client} to any via ${iif}
  ${fwcmd} add 31 pass ip from any to ${ip_client} via ${iif}
# -- sniplet from fw-script -- #

this results in:

# ipfw show
00010   128 allow ip from any to any MAC ff:ff:ff:ff:ff:ff \
 88:99:aa:bb:cc:dd via em0
00020  74  9564 allow ip from any to any MAC any 88:99:aa:bb:cc:dd via em0
00021  87 85336 allow ip from any to any MAC 88:99:aa:bb:cc:dd any via em0
00030  74  9564 allow ip from 192.168.123.45 to any via em0
00031  86 85290 allow ip from any to 192.168.123.45 via em0
65535 487 35078 deny ip from any to any

Most of this logic is described in the section "PACKET FLOW" section in man 
ipfw. 

"Note that as packets flow through the stack, headers can be stripped or
 added to it, and so they may or may not be available for inspection.
 E.g., incoming packets will include the MAC header when ipfw is invoked
 from ether_demux(), but the same packets will have the MAC header
 stripped off when ipfw is invoked from ip_input() or ip6_input()."

Cheers
ch 


On Saturday 09 June 2012, Bill Yuan wrote:
> rule like below
> 
> #allow the traffic which source mac is belong to the machine
> ipfw add 1 allow all from any to any MAC  any
> #allow the ..  destination mac is that machine
> ipfw add 1 allow all from any to any MAC any 
> ipfw add 1 deny all from any to any
> 
> 
> it is not working , all the traffic will be block by the deny !!!  how come
> ?
> 
> 
> 
> On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert <
> 
> freebsd-questions-lo...@be-well.ilk.org> wrote:
> > Bill Yuan  writes:
> > > i am using freebsd 9.0 as a firewall and i want to filter the traffic
> > > by the mac and the ip at the same time,
> > > 
> > > for example, i only allow my laptop  can go throught the
> > > firewalll when it's using IP 
> > > 
> > > for how to config the firewall rules?
> > > 
> > > 
> > > I tried to configure the firewall by  the rule below , but it doesnt
> > > work
> > > 
> > >  ipfw add  1 allow all from  to any MAC 
> > >  any ipfw add  1 allow all from any to   MAC any  > >  Address
> > 
> > 1>
> > 
> > Well, for one thing if I understand your intent, you have the MAC
> > addresses in the wrong order. Unless your firewall is acting as a
> > bridge, you also need to keep in mind that the MAC addresses are changed
> > when passing through, so those rules will only work on one side (i.e.,
> > you'll need "in via" type rules).
> > 
> > > but it doesnt work. also found the explanation on google, someone
> > > already asked this question before.
> > 
> > I don't understand. Was there a suggested approach or not?
> > 
> > > but I did not find the solution for this requirement.  can someone tell
> > 
> > me
> > 
> > > how ? thanks in advance.
> > 
> > I can't guarantee this will work, and I don't have any way to test it,
> > 
> > but my above comments would suggest something more like:
> > >  ipfw add  1 allow all from  to any MAC any  > 
> > in via $iif
> > 
> > >  ipfw add  1 allow all from any to   MAC 
> > 
> > any out via $oif
> > 
> > Good luck.
> 
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: how to filter network by MAC and IP at the same time

2012-06-08 Thread Bill Yuan 
rule like below

#allow the traffic which source mac is belong to the machine
ipfw add 1 allow all from any to any MAC  any
#allow the ..  destination mac is that machine
ipfw add 1 allow all from any to any MAC any 
ipfw add 1 deny all from any to any


it is not working , all the traffic will be block by the deny !!!  how come
?



On Sat, Jun 9, 2012 at 4:30 AM, Lowell Gilbert <
freebsd-questions-lo...@be-well.ilk.org> wrote:

> Bill Yuan  writes:
>
> > i am using freebsd 9.0 as a firewall and i want to filter the traffic by
> > the mac and the ip at the same time,
> >
> > for example, i only allow my laptop  can go throught the
> > firewalll when it's using IP 
> >
> > for how to config the firewall rules?
> >
> >
> > I tried to configure the firewall by  the rule below , but it doesnt work
> >
> >  ipfw add  1 allow all from  to any MAC  any
> >  ipfw add  1 allow all from any to   MAC any  1>
>
> Well, for one thing if I understand your intent, you have the MAC
> addresses in the wrong order. Unless your firewall is acting as a
> bridge, you also need to keep in mind that the MAC addresses are changed
> when passing through, so those rules will only work on one side (i.e.,
> you'll need "in via" type rules).
>
> > but it doesnt work. also found the explanation on google, someone already
> > asked this question before.
>
> I don't understand. Was there a suggested approach or not?
>
> > but I did not find the solution for this requirement.  can someone tell
> me
> > how ? thanks in advance.
>
> I can't guarantee this will work, and I don't have any way to test it,
> but my above comments would suggest something more like:
>
> >  ipfw add  1 allow all from  to any MAC any  in via $iif
>
> >  ipfw add  1 allow all from any to   MAC 
> any out via $oif
>
> Good luck.
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: how to filter network by MAC and IP at the same time

2012-06-08 Thread Lowell Gilbert 
Bill Yuan  writes:

> i am using freebsd 9.0 as a firewall and i want to filter the traffic by
> the mac and the ip at the same time,
>
> for example, i only allow my laptop  can go throught the
> firewalll when it's using IP 
>
> for how to config the firewall rules?
>
>
> I tried to configure the firewall by  the rule below , but it doesnt work
>
>  ipfw add  1 allow all from  to any MAC  any
>  ipfw add  1 allow all from any to   MAC any 

Well, for one thing if I understand your intent, you have the MAC
addresses in the wrong order. Unless your firewall is acting as a
bridge, you also need to keep in mind that the MAC addresses are changed
when passing through, so those rules will only work on one side (i.e.,
you'll need "in via" type rules).

> but it doesnt work. also found the explanation on google, someone already
> asked this question before.

I don't understand. Was there a suggested approach or not?

> but I did not find the solution for this requirement.  can someone tell me
> how ? thanks in advance.

I can't guarantee this will work, and I don't have any way to test it,
but my above comments would suggest something more like:

>  ipfw add  1 allow all from  to any MAC any  $iif

>  ipfw add  1 allow all from any to   MAC  any 
> out via $oif

Good luck.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

how to filter network by MAC and IP at the same time

2012-06-07 Thread Bill Yuan 
hi all,

i am using freebsd 9.0 as a firewall and i want to filter the traffic by
the mac and the ip at the same time,

for example, i only allow my laptop  can go throught the
firewalll when it's using IP 

for how to config the firewall rules?


I tried to configure the firewall by  the rule below , but it doesnt work

 ipfw add  1 allow all from  to any MAC  any
 ipfw add  1 allow all from any to   MAC any 

but it doesnt work. also found the explanation on google, someone already
asked this question before.

but I did not find the solution for this requirement.  can someone tell me
how ? thanks in advance.


Best Regards,
BYCN82
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"