How ban mac-addres

[kerogaz]

How to ban the Mac-address of a local network computer using IPFW in NAT-server.I can easily do this using iptables in Debian but I can’t do it here

 

[VladiBG]

deny ip from any to any MAC any 00:11:22:33:44:55 in recv em1

mac dst-mac src-mac

ipfw(8)

man.freebsd.org

if you want to filter the outgoing packets

deny ip from any to any MAC 00:11:22:33:44:55 any out xmit em1

 

[kerogaz]

mac dst-mac src-mac

ipfw(8)

man.freebsd.org

if you want to filter the outgoing packets

Thanks. Like this in my case? nano /etc/rules

# Local
${fwcmd} add allow all from any to any via lo0
${fwcmd) add deny ip from any to any MAC any 00:1E:8C:16:18:2B in recv igb3
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny all from 127.0.0.0/8 to any

 

[kerogaz]

IPFW rebooted without errors. Let's see the results

 

[kerogaz]

ipfw -a show
00100        8         792 allow ip from any to any via lo0
00200        0           0 deny ip from any to any MAC any 00:1e:8c:16:18:2b in recv igb3
00300        0           0 deny ip from any to 127.0.0.0/8
00400        0           0 deny ip from 127.0.0.0/8 to any
00500  2965670   571713649 nat 1 ip from table(0) to any out via igb2
00600  5005797  6034780188 nat 1 ip from any to any in via igb2
00700 16000900 13216854394 allow ip from any to any
00800        0           0 allow tcp from any to any 80
65535    89619    11647664 deny ip from any to any

 

[VladiBG]

The counter doesn't show any matching packets. Do you have access to that machine with mac 00:1e:8c:16:18:2b to test it?

 

[SirDice]

You also need to set net.link.ether.ipfw.

Filtering by MAC address

I am using freebsd FreeBSD as a gateway, and I am trying to do filtering by MAC addresses. For example, I want to allow the traffic from machine A with MAC address xx xx xx xx. So I created a sample firewall rule like below. #allow the traffic from that machine allow all ip from any to any MAC...

forums.freebsd.org

 

[smithi]

You also need to set net.link.ether.ipfw.

Filtering by MAC address

I am using freebsd FreeBSD as a gateway, and I am trying to do filtering by MAC addresses. For example, I want to allow the traffic from machine A with MAC address xx xx xx xx. So I created a sample firewall rule like below. #allow the traffic from that machine allow all ip from any to any MAC...

forums.freebsd.org

Yes, and that thread is helpful for handling layer 2 traffic, noting enabling ARP etc.

I would also suggest reading the section PACKET FLOW in ipfw(8) about a dozen times

I found particularly helpful the diagram and those 4 rules to separate layer 2 from layer 3 passes. If in doubt, add 'log' to many rules while debugging.

 

[kerogaz]

The counter doesn't show any matching packets. Do you have access to that machine with mac 00:1e:8c:16:18:2b to test it?

Yes, I see this computer using nmap -Pn 10.44.1.178 . But tcpdump does not show packets from this address. However, this user with this MAC manually changes his static IP every day, and banning a new IP every day is unreasonable. Why would he do this if he doesn’t use the Internet?Or maybe he is using a tunneling program?

 

[kerogaz]

We take a computer that actually works on the Internet
tcpdump -i igb3 | grep 10.44.1.17
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
08:39:14.262269 IP 10.44.1.17.54939 > 211.184.25.143.32771: UDP, length 103


We find MAC in this address
nmap -Pn 10.44.1.17
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-14 08:37 EEST
Nmap scan report for 10.44.1.17
Host is up (0.00023s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
1042/tcp open afrog
1043/tcp open boinc
5357/tcp open wsdapi
MAC Address: FC:34:97:BD:169 (ASUSTek Computer)

We add rules:
${fwcmd} add deny ip from any to any MAC any FC:34:97:BD:169 in recv igb3

ipfw -a show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to any MAC any fc:34:97:bd:16:d9 in recv igb3
00300 0 0 deny ip from any to 127.0.0.0/8
00400 0 0 deny ip from 127.0.0.0/8 to any
00500 6165 844654 nat 1 ip from table(0) to any out via igb2
00600 15486 18488212 nat 1 ip from any to any in via igb2
00700 43735 38692997 allow ip from any to any
00800 0 0 allow tcp from any to any 80
65535 0 0 deny ip from any to any

Et voila:
The rules do not work!
tcpdump -i igb3 | grep 10.44.1.17
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb3, link-type EN10MB (Ethernet), capture size 262144 bytes
08:46:30.726162 IP cc86365-05.cc.colocall.com.https > 10.44.1.17.51794: Flags [.], ack 3031076955, win 76, length 0
08:46:30.726265 IP 10.44.1.17.51794 > cc86365-05.cc.colocall.com.https: Flags [.], ack 1, win 4106, length
0


For a long time, I couldn’t find anyone anywhere on the Internet who could really ban MAC using IPFW.I’ll probably have to install a computer with IPTABLES in front of the server with IPFW and ban the MAC there

 

[smithi]

We add rules:
${fwcmd} add deny ip from any to any MAC any FC:34:97:BD:169 in recv igb3

[ aside: how do we turn off this STUPID assumption that colon
D or colon ) etc become infantile emojis! ]

ipfw -a show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to any MAC any fc:34:97:bd:16:d9 in recv igb3

Et voila:
The rules do not work!

For a long time, I couldn’t find anyone anywhere on the Internet who could really ban MAC using IPFW.I’ll probably have to install a computer with IPTABLES in front of the server with IPFW and ban the MAC there

You're just missing something. I haven't done this since c. 2003 on a filtering bridge, so I'm not sure to remember everything which is why I suggested learning the PACKET FLOW section really thoroughly.

What values have your sysctls
net.inet.ip.fw.one_pass
net.link.ether.ipfw
?

Before your current rule 200:

ipfw add count log all from any to any layer2 in
ipfw add count log all from any to any layer2 out

Which will log each packet in and out via ether_demux and ether_output_frame, to /var/log/security

 

[SirDice]

[ aside: how do we turn off this STUPID assumption that colon
D or colon ) etc become infantile emojis! ]

Put it in a [code]...[/code] block, or [icode]...[/icode] for inline code. Besides using a monospaced font it also prevents the forum software from automagically converting emojis, urls, email addresses, etc.

 

[VladiBG]

What's the output of
sysctl net.link.ether.ipfw
ping -c 10.44.1.17
arp -a | grep 10.44.1.17

 

[kerogaz]

sysctl net.link.ether.ipfw
net.link.ether.ipfw: 0

There is a ping to the host. It is in the arp table.
I’m filtering MAC in emergency cases, through computer with Archlinux iptables, which I place in front of the server with FreeBSD. But this is inconvenient:I need to reconfigure the gateway IP etc., and the network is slower

 

[VladiBG]

You need to enable the L2 filtering. Set net.link.ether.ipfw to 1
sysctl net.link.ether.ipfw=1
To make it permanent across reboots add it into /etc/sysctl.conf

 

[kerogaz]

You need to enable the L2 filtering. Set net.link.ether.ipfw to 1
sysctl net.link.ether.ipfw=1
To make it permanent across reboots add it into /etc/sysctl.conf

Thank you. This is all theory. In practice this doesn't work.I did this about 3 years ago. Someone recommended it on the forum. After that, absolutely all traffic via NAT stopped. That's why I commented it out:

#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=100
net.inet.ip.fw.one_pass=0


#net.link.ether.ipfw=1

For this rule work correctly , it was recommended rebuild the kernel and change policy IPFW to allow everyone everything (and the default is to deny everyone everything) . But I thought it would be easier to install Arch with iptables. By the way,in iptables I can easily change the policy, but in IPFW I need to rebuild the kernel and there is no confidence that after that it will work

 

[SirDice]

tcpdump -i igb3 | grep 10.44.1.17

You know you can add a filter to tcpdump(1)? tcpdump -ni igb3 host 10.44.1.17

In this case you probably want to capture traffic from a specific MAC address; tcpdump -eni igb3 ether 11:22:33:44:55:66 You'll want to add -e here too, so the output actually shows the MAC addresses of the packets.

 

[VladiBG]

Thank you. This is all theory. In practice this doesn't work.I did this about 3 years ago. Someone recommended it on the forum. After that, absolutely all traffic via NAT stopped. That's why I commented it out:

It's not theory. I've just test it in my network and it's working as expected.

For this rule work correctly , it was recommended rebuild the kernel and change policy IPFW to allow everyone everything (and the default is to deny everyone everything) . But I thought it would be easier to install Arch with iptables. By the way,in iptables I can easily change the policy, but in IPFW I need to rebuild the kernel and there is no confidence that after that it will work

The default policy of IPFW can be controlled via net.inet.ip.fw.default_to_accept in loader.conf it's all described in ipfw(8) under "LOADER TUNABLES" section. It actually control the last matching rule (65535) in the set.

You should use the Firewall which you know. If you knowledge of iptables is better than IPFW then use iptables. The end result is more important.

Even if you block the MAC address on the router you should know that the user still can change the mac address. For example the mobile phones can generate and change they mac address on every connect and it's on by default. Restricting the user access to the network must be done on the first device (the access switch) and should be implemented via 802.1x authorization or static mac address to port.

 

[kerogaz]

I did all this. It doesn’t work without rebuilding the kernel. If you really want to help me, please provide real working rules and not links to man

 

[VladiBG]

The IPFW rules that you have are ok, you need to enable L2 filtering so the IPFW can block the MAC address that you have in rule 200.
Without net.link.ether.ipfw=1 IPFW will not filter the MAC address that's why you don't see any matching packets on that rule when you list it with ipfw -a list command

 

[kerogaz]

The IPFW rules that you have are ok, you need to enable L2 filtering so the IPFW can block the MAC address that you have in rule 200.
Without net.link.ether.ipfw=1 IPFW will not filter the MAC address that's why you don't see any matching packets on that rule when you list it with ipfw -a list command

Once again, if you enable net.link.ether.ipfw=1 , all traffic via NAT stops. Try this on your server with NAT and I think all clients on your local network will not like it. And if you did this remotely via ssh, and the server is located far from you, you will get a big problem.Server was no longer visible via ssh, but it is located three meters from my computer, so it’s no big deal.

 

[VladiBG]

ipfw -q -f flush
ipfw nat 1 config if igb2
ipfw add 100 allow ip from any to any layer2 mac-type 0x0806
ipfw add 200 deny ip from any to any MAC any fc:34:97:bd:16:d9
ipfw add 300 nat 1 ip4 from any to me in via igb2
ipfw add 400 nat 1 ip4 from 10.44.1.0/24 to any out via igb2
ipfw add 500 allow ip from any to any

 

[smithi]

I did all this. It doesn’t work without rebuilding the kernel. If you really want to help me, please provide real working rules and not links to man

That's just nonsense about needing to rebuild kernel for ipfw, demonstrating that there's lots of misinformation out there.

Refer to /etc/rc.firewall 'open' ruleset if you want to override rule 65535, or the loader.conf tunable VladiBG pointed out.

 

[smithi]

Once again, if you enable net.link.ether.ipfw=1 , all traffic via NAT stops. Try this on your server with NAT and I think all clients on your local network will not like it.

If you haven't allowed ARP traffic at layer2, all IP traffic stops. Not just NAT.

From SirDice' post #7 above, see:

https://forums.freebsd.org/threads/filtering-by-mac-address.32841/

especially phoenix in post #2 (also #10)

# First, you need to allow ARP traffic
$IPFW add 4 allow ip from any to any layer2 mac-type arp

VladiBG said exactly the same in a different way:
ipfw add 100 allow ip from any to any layer2 mac-type 0x0806

I mentioned it in passing in post #8 but should have been more explicit: when filtering at layer2 (ethernet frames), it is essential to always pass all ARP traffic, or layer3 (IP) traffic cannot work - as you've discovered.

I again strongly suggest splitting layer2 and layer3 traffic into separate, distinct blocks so it's clear which is which, as per the fine example in PACKET FLOW.

Once you've done your layer2 filtering, then allow all traffic.

Then the IP packets within the Ethernet frames will reenter the firewall rules from the top, for layer3 business (including NAT)

 

[kerogaz]

Thanks, About three years ago I launched Layer 2. Did not help.And change the policy - my script for the table of allowed IP addresses on the local network will not work(With the deny everything policy, I only allow addresses from the table I created). Therefore, since this situation occurs approximately once a year, it is easier to put a computer with ArchLinux's iptables in front and just type in the command line,and do not change anything in the configs and do not write anything anywhere if this ban is needed only for this session (up to system reboot).Changes are made on the fly.In addition, on the Arch I have the same allowed IP addresses and they can be added there very simply from the command line.The only downside is that it's a rolling release.

iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 - j DROP