How will my script work if it works with a policy of denying everything, but here you need to allow everything? By the way about three years ago I launched Layer 2. Did not helpCan't say we didn't try.
You know you can add a filter to tcpdump(1)?tcpdump -ni igb3 host 10.44.1.17
In this case you probably want to capture traffic from a specific MAC address;tcpdump -eni igb3 ether 11:22:33:44:55:66
You'll want to add-e
here too, so the output actually shows the MAC addresses of the packets.
tcpdump -eni igb3 ether 00:1E:8C:16:18:2B
tcpdump: can't parse filter expression: syntax error
#!/bin/sh -
fwcmd="/sbin/ipfw"
${fwcmd} -f flush
${fwcmd} table all flush
${fwcmd} nat 1 delete
# NETWORK CONNECTIONS
if_inet="igb2"
if_lan="igb3"
# Local
${fwcmd} add allow all from any to any via lo0
#${fwcmd} add deny ip from any to any MAC any FC:34:97:BD:16:D9 in recv igb3
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny all from 127.0.0.0/8 to any
# NAT
${fwcmd} nat 1 config if ${if_inet} same_ports reset log
${fwcmd} add nat 1 ip from "table(0)" to any out via ${if_inet}
${fwcmd} add nat 1 ip from any to any in via ${if_inet}
# TABLE (0):
${fwcmd} add allow ip from any to any
${fwcmd} table 0 add 10.44.1.1
---- etc all allowed ip
-----
${fwcmd} add allow tcp from any to any 80
#MAC
${fwcmd} add allow ip from any to any layer2 mac-type 0x0806
${fwcmd} add deny ip from any to any MAC any fc:34:97:bd:16:d9
sysctl net.link.ether.ipfw=1
I add
and afterCode:#MAC ${fwcmd} add allow ip from any to any layer2 mac-type 0x0806 ${fwcmd} add deny ip from any to any MAC any fc:34:97:bd:16:d9
all trafic stopCode:sysctl net.link.ether.ipfw=1
ipfw add 500 allow ip from any to any
add allow ip from any to any layer2
ipfw -q -f flush
ipfw nat 1 config if igb2
ipfw add 100 allow ip from any to any layer2 mac-type 0x0806
ipfw add 200 deny ip from any to any MAC any fc:34:97:bd:16:d9
ipfw add 300 nat 1 ip4 from any to me in via igb2
ipfw add 400 nat 1 ip4 from 10.44.1.0/24 to any out via igb2
ipfw add 500 allow ip from any to any
# TABLE (0):
${fwcmd} add allow ip from any to any
${fwcmd} table 0 add 10.44.1.1
ipfw add 400 nat 1 ip4 from 10.44.1.0/24 to any out via igb2
[slightly off-topic]You write that I don’t believe you. But this is not a religion to believe. I check and if it works, I say thank you. But for now, unfortunately, I cannot say thank you.
Yes, I see this computer using nmap -Pn 10.44.1.178 . But tcpdump does not show packets from this address. However, this user with this MAC manually changes his static IP every day, and banning a new IP every day is unreasonable. Why would he do this if he doesn’t use the Internet?Or maybe he is using a tunneling program?
Turn off the switch port they're connected to. Provide web browsing through a proxy, add authentication on the proxy. No account, no internet browsing. If all that doesn't work, use a LART.However, this user with this MAC manually changes his static IP every day, and banning a new IP every day is unreasonable. Why would he do this if he doesn’t use the Internet?
All ip address of local network are static. The machine is gateway of this local network. I assigne ipv4 ot this networkHello
You state that the incoming packets are sourced from a class A private network.
You also state that the machines IP address changes on a daily basis, indicative of DHCP perhaps yet you state that it is statically assigned.
The machine must therefore be on the same LAN as you.
If the Network has is not running DHCP and is Statically configured, how come the user can just input a random IPv4 address from the network?
Do you assign IPv4 addresses on this network.
Is the ABR running dual stacks?
Its request ports change every time and are in the upper ranges. In general, there is good news: I found this person geographically. This was an inexperienced user who was told that if there is no Internet, change the IP. But still the problem of filtering mac address was not solvedTurn off the switch port they're connected to. Provide web browsing through a proxy, add authentication on the proxy. No account, no internet browsing. If all that doesn't work, use a LART.
You write that I don’t believe you. But this is not a religion to believe. I check and if it works, I say thank you. But for now, unfortunately, I cannot say thank you.
Your line 500 is in my scrit
Code:# TABLE (0): ${fwcmd} add allow ip from any to any ${fwcmd} table 0 add 10.44.1.1
add allow all from any to any layer2
In general, it seems to me that this time the problem is not solved. I’m transferring the tables of allowed addresses to the Archlinux iptables and will turn it on as a gateway in critical cases when I need to kill MAC,fortunately this happens extremely rarely.Two years ago, I spent 1 month resolving this issue on forums in 4 countries. I didn’t achieve anything. I'm doing this now because I thought that something had changed in new releases of the system.
I update from version 10 continuously.By the way, I had a script on iptables that only allowed through NAT those IP that met the requirements of their mac (the table of allowed IP + Mac was loaded) I tried to do it here, I also suffered for a month on the forums and nothing worked
whatever you say:Fair enough, but I'm about to show why I think you haven't got it working yet.
ipfw is very much like assembler code, requiring precision. If you examine ipfw source code you'll see its rules are parsed into a virtual machine of sorts, so traversing the ruleset is fast and efficient; thanks Prof. Rizzo!
As an old systems programmer I like it like that, but it's not for everyone. Many prefer using pf(8) which I see as more of a high-level, conceptual language than ipfw.
VladiBG's line 500, of his tested, working example script. But his nat rules are for 'ip4' not ip (=all).
With natd(8) it was an error to pass non-ip4 packets to it. I'm not certain with kernel NAT, but passing layer2 frames to it as you're doing here seems unlikely to end well. Only later do you pass all, including layer2.
So once again, please try with layer2 (ether) enabled and your pass ARP and deny $BOGON layer2 rule(s), adding immediately afterwards:
add allow all from any to any layer2
And then layer2 is done with, so proceed with your layer3 stuff - though I'd use ip4 on the nat rules (in case there are e.g. ipv6 packets in the mix).
Still sounds like you think there's something broken with ipfw, rather than you hadn't yet found out how to use it correctly?
I know ipfw(8) is a big manpage, but it's very thorough and kept correct and up to date, and you can ignore many sections that don't apply to your usage - but you won't get away without familiarity with the basics. Maybe check out pf?
Which forums?
Not sure what you're saying here, but you can also use tables of MAC addresses rather than single rules for white- or black-listing, if declared properly.
SirDice nailed it, but I'll add:
a BOFH with no LART is like a Pub With No Beer ...
#MAC
${fwcmd} add allow ip from any to any layer2 mac-type 0x0806
${fwcmd} add deny ip from any to any MAC any fc:34:97:bd:16:d9
${fwcmd} add add allow all from any to any layer2
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=100
net.inet.ip.fw.one_pass=0
net.link.ether.ipfw=1
service ipfw restart
ipfw -a show
00100 4 394 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 8806 0 allow ip from any to any layer2 mac-type 0x0806
00500 2542 235323 deny ip from any to any MAC any fc:34:97:bd:16:d9
00600 2572071 517705387 nat 1 ip from table(0) to any out via igb2
00700 9749972 11914216133 nat 1 ip from any to any in via igb2
00800 25039509 19952612494 allow ip from any to any
00900 0 0 allow tcp from any to any 80
65535 39252 5439536 deny ip from any to any
ipfw zero
Accounting cleared.
# ipfw -a show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 29 0 allow ip from any to any layer2 mac-type 0x0806
00500 0 0 deny ip from any to any MAC any fc:34:97:bd:16:d9
00600 20931 6834380 nat 1 ip from table(0) to any out via igb2
00700 62003 77619486 nat 1 ip from any to any in via igb2
00800 177019 143789809 allow ip from any to any
00900 0 0 allow tcp from any to any 80
65535 39252 5439536 deny ip from any to any
From this I understand that you are using the machine as a router.All ip address of local network are static. The machine is gateway of this local network. I assigne ipv4 ot this network
${fwcmd} add allow ip from any to any layer2 mac-type 0x0806
${fwcmd} add deny ip from any to any MAC any fc:34:97:bd:16:d9
${fwcmd} add add allow all from any to any layer2
whatever you say:
Code:#MAC ${fwcmd} add allow ip from any to any layer2 mac-type 0x0806 ${fwcmd} add deny ip from any to any MAC any fc:34:97:bd:16:d9 ${fwcmd} add add allow all from any to any layer2
And ater
Code:# Uncomment this to... net.inet.ip.fw.one_pass=0 ... net.link.ether.ipfw=1
all traffic stops and ssh and I go to the server to change net.link.ether.ipfw=1 to 0Code:service ipfw restart
allow all from any to any layer2
After i see
Code:ipfw -a show 00100 4 394 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 8806 0 allow ip from any to any layer2 mac-type 0x0806 00500 2542 235323 deny ip from any to any MAC any fc:34:97:bd:16:d9 00600 2572071 517705387 nat 1 ip from table(0) to any out via igb2 00700 9749972 11914216133 nat 1 ip from any to any in via igb2 00800 25039509 19952612494 allow ip from any to any 00900 0 0 allow tcp from any to any 80 65535 39252 5439536 deny ip from any to any
ipfw -t show
Code:ipfw zero Accounting cleared. # ipfw -a show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 29 0 allow ip from any to any layer2 mac-type 0x0806 00500 0 0 deny ip from any to any MAC any fc:34:97:bd:16:d9 00600 20931 6834380 nat 1 ip from table(0) to any out via igb2 00700 62003 77619486 nat 1 ip from any to any in via igb2 00800 177019 143789809 allow ip from any to any 00900 0 0 allow tcp from any to any 80 65535 39252 5439536 deny ip from any to any
Yes that's what I suggested, except you put 'add add' which I'd expect ipfw to complain about, and fail to add the rule.
If that's what you did, how come the supposedly added rule
allow all from any to any layer2
is NOT shown below, after your rule 500 and before nat rules?
Doesn't your complete script flush rules first? It seems not.
It's often helpful to use
ipfw -t show
to see latest timestamps.
(-a is implied with 'show')
Again, no allow all layer2 rule, still invoking nat on 'ip' aka all, and some non-nat rules were NOT zeroed, which is suss.
I'm done; waste of time if you won't even notice a specifically added rule has gone missing.
ipfw -t show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 415 0 Wed Sep 20 23:10:08 2023 allow ip from any to any layer2 mac-type 0x0806
00500 11 796 Wed Sep 20 23:09:53 2023 deny ip from any to any MAC any 00:e0:81:d5:78:f0
00600 3983 677191 Wed Sep 20 23:10:08 2023 allow ip from any to any layer2
00700 0 0 nat 1 ip from table(0) to any out via igb2
00800 0 0 nat 1 ip from any to any in via igb2
65535 60 24808 Wed Sep 20 23:09:11 2023 deny ip from any to any
ipfw -t show
00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 334 0 Wed Sep 20 23:20:53 2023 allow ip from any to any layer2 mac-type 0x0806
00500 2452 443448 Wed Sep 20 23:20:53 2023 allow ip from any to any layer2
00600 0 0 nat 1 ip from table(0) to any out via igb2
00700 0 0 nat 1 ip from any to any in via igb2
00800 0 0 allow ip from any to any
65535 63 25143 Wed Sep 20 23:20:07 2023 deny ip from any to any
There is only one inconvenience. If you comment out the ban of MAC in the rules and comment the line #net.link.ether.ipfw= 1 than restart IPFW after some time (sometimes after half an hour) all traffic stops
sysctl net.link.ether.fw=0
and it is restored only after the system is rebooted.And if you work far away in SSH,then this means you need to go to the server...
Iptables or nftables suits my style better than the Linux variety (Do it in one motion in command line with root rights: iptables -I INPUT -m mac --mac-source 00:22:66:B4:44:3A -j DROP - and works immediately without any hassle with layers) But for more than 10 years freebsd has been installed on the server and therefore I have to put up with ipfw Overall FreeBSD is a very reliable system and easy to administer. But why such a bulky and inconvenient to use IPFW was built in , is unclearCommenting out that line in /etc/sysctl.conf is not the same as setting that variable to 0. Without rebooting it will retain its current value, unless your script specifically runssysctl net.link.ether.fw=0
I thought you said you had it working? You know by now that net.link.ether.fw must be set to 1 for ipfw to be able to see and filter layer2 packets, don't you?
Perhaps some variety of Linux would suit your style better?