IPFW How to match MAC address

yetoo

New Member

Reaction score: 1
Messages: 8

I am trying to do a simple test of matching mac coming from a machine connected to re0 and allowing it. I don't care if i'm able to actually use the packet, all I want is the rule number to show up in in /var/log/security so I know something is matching. The ipfw command I'm using is
Code:
ipfw add 10 allow log ip from any to any layer2 MAC any <mac address of source ethernet interface that's in the connected machine> keep-state out via re0
. But it keeps on missing the match. I am absolutely sure the mac I am using as source is the same characters. I know for sure that when I ping from the connected machine tcpdump -vvve on that machine and on the freebsd box that I'm doing this test on shows the mac as the source. What am I missing here? I know that if I use
Code:
out
I have to make another rule with
Code:
in
for traffic to work properly, but again all I'm trying to do is get the rule to show up in /var/log/security, not actual usability.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,367
Messages: 38,901

You're matching on ip, which strips off the MAC address.

Code:
     Note that as packets flow through the stack, headers can be stripped or
     added to it, and so they may or may not be available for inspection.
     E.g., incoming packets will include the MAC header when ipfw is invoked
     from ether_demux(), but the same packets will have the MAC header
     stripped off when ipfw is invoked from ip_input() or ip6_input().
ipfw(8)
 
OP
Y

yetoo

New Member

Reaction score: 1
Messages: 8

So I got the messages in the log I wanted with
Code:
ipfw add 10 allow log all from any to any layer2 MAC any <insert mac> keep-state in via re0
and while I got inputs via re0 I got outputs via wlan0 despite there not being a rule for it other than
Code:
ipfw nat 1 config if wlan0 if re0
I also set net.link.ether.ipfw=1 like the man page says to since, like SirDice quoted, ipfw commands that invoke ether_demux() don't strip the mac header.
 
Top