IPFW + Mac Address

J

jabj

Hello.

I have installed FreeBSD 9.1 for my company, and it is running smoothly. Implemented DHCP and Squid control for MAC. I want to continue using ipfw with IP and would like to add to it access control via MAC address. In my searches on the internet I came across this forum. In this case please help me.

I want to release a certain MAC address for navigation from anywhere to anywhere including port 443. I do not want to have to change my rules for IP which are functioning perfectly.

How could I do this? I have to enable or FreeBSD compile something in addition to the rules? What would be the syntax of the rule?

I'm sorry for my English, it is that I am Brazilian and I do not know English well.

Thank you.
 
Please try:

# sysctl net.link.ether.ipfw=1
# ipfw add <rule_number> allow tcp from any to any 443 MAC any xx:xx:xx:xx:xx:xx

You have to replace <rule_number> by an exact number which is below the rule number of any rule which would implicitly deny the same traffic.
 
Hello,

Thanks for the feedback. I had already done this and still not sure this thing. Below is my ipfw.rules. The titles will be in Portuguese. My firewall is type 'deny all'. The sysctl.conf has this
Code: 
net.link.ether.ipfw = 1
What am I still doing wrong? If you find errors in ipfw.rules, please could you suggest corrections regarding this issue? Thank you.

Code: 
# Limpa regras
/sbin/ipfw -f flush
/sbin/ipfw -f flush pipe
/sbin/ipfw -f flush queue

# Desativando passagem unica
/sbin/ipfw disable one_pass

####### TESTE POR MAC
sbin/ipfw add allow ip from any to any layer2 mac-type arp
sbin/ipfw add allow ip from any to any 443 mac any 00:50:56:8a:bd:2d in via em0

# Alias
rede_interna="192.168.20.0/24"

# NAT
/sbin/ipfw add divert natd all from any to any via em1

# Nao faz proxy transparente para a Caixa Economica Federal
/sbin/ipfw add allow tcp from ${rede_interna} to 200.201.174.0/24,200.251.164.0/24 80

# Nao faz proxy transparente para Nota Fiscal Eletronica (NFe)
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 201.16.234.0/24,200.166.92.0/24,186.209.98.0/73 80 keep-state

# Nao faz proxy transparente para Sicoob
/sbin/ipfw add allow tcp from ${rede_interna} to 189.75.117.230,186.215.92.131,186.215.92.145 keep-state

# Nao faz proxy transparente para BeloDente e Viacard
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 189.26.236.5,200.149.156.146 8080 keep-state

# Liberar DNS externo
/sbin/ipfw add allow udp from me 1024-65535 to any 53
/sbin/ipfw add allow tcp from me 1024-65535 to any 53
/sbin/ipfw add allow udp from any 53 to me 1024-65535
/sbin/ipfw add allow tcp from any 53 to me 1024-65535

# Firewall basico
/sbin/ipfw add deny tcp from any to any tcpflags syn,fin,psh in
/sbin/ipfw add deny tcp from any to any tcpflags fin,urg,psh in
/sbin/ipfw add deny tcp from any to any tcpflags !fin,!syn,!ack,!urg,!psh,!rst in
/sbin/ipfw add deny tcp from any to any tcpflags syn,fin,rst,ack in
/sbin/ipfw add deny tcp from any to any tcpflags fin,!syn,!rst,!ack in
/sbin/ipfw add deny tcp from any to any tcpflags syn,fin,!rst,!ack in
/sbin/ipfw add deny tcp from any to any tcpflags urg,!syn,!fin,!rst,!ack in

# Liberar NTP
/sbin/ipfw add allow tcp from me 123 to any 123
/sbin/ipfw add allow udp from me 123 to any 123
/sbin/ipfw add allow tcp from any 123 to me 123
/sbin/ipfw add allow udp from any 123 to me 123

# Liberar DNS Interno
/sbin/ipfw add allow udp from ${rede_interna} 1024-65535 to any 53
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to any 53
/sbin/ipfw add allow udp from any 53 to ${rede_interna} 1024-65535
/sbin/ipfw add allow tcp from any 53 to ${rede_interna} 1024-65535

# Liberar WWW Firewall
/sbin/ipfw add allow tcp from me to any keep-state

# Proxy transparente
/sbin/ipfw add fwd 192.168.20.254,3128 tcp from ${rede_interna} to any 80

# Libera
/sbin/ipfw add allow tcp from me 1024-65535 to any 80
/sbin/ipfw add allow tcp from any 80 to me 1024-65535
/sbin/ipfw add allow tcp from any 80 to ${rede_interna} 1024-65535
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to any 80

# Libera FTP
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to any 20,21
/sbin/ipfw add allow tcp from any 20,21 to ${rede_interna} 1024-65535
/sbin/ipfw add allow tcp from any 20,21 to 200.251.77.19
/sbin/ipfw add allow tcp from 200.251.77.19 to any 20,21

# Libera FTP Viaceu
/sbin/ipfw add allow tcp from 186.209.34.21,187.0.180.5,187.0.180.2 20,21,1024-65535 to ${rede_interna} 1024-65535
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 186.209.34.21,187.0.180.5,187.0.180.2 20,21,1024-65535
/sbin/ipfw add allow tcp from me 1024-65535 to 186.209.34.21,187.0.180.5,187.0.180.2 20,21,1024-65535
/sbin/ipfw add allow tcp from 186.209.34.21,187.0.180.5,187.0.180.2 20,21,1024-65535 to me 1024-65535

# Liberar FTP Cera Ingleza
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 200.251.77.0/26  1024-65535
/sbin/ipfw add allow tcp from 200.251.77.0/26 1024-65535 to ${rede_interna} 1024-65535

# Liberar FTP Serigy
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 189.52.81.15  1024-65535
/sbin/ipfw add allow tcp from 189.52.81.15 1024-65535 to ${rede_interna} 1024-65535

# Liberar FTP 4shared
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 199.101.132.0/22 1024-65535
/sbin/ipfw add allow tcp from 199.101.132.0/22 1024-65535 to ${rede_interna} 1024-65535

# Libererar PING na rede
/sbin/ipfw add allow icmp from any to any

# Libera EMAIL TASK Por IP
/sbin/ipfw add allow tcp from ${rede_interna} to 67.228.2.0/24 110,25,587,143
/sbin/ipfw add allow tcp from ${rede_interna} to 75.126.195.0/24 110,25,587,143
/sbin/ipfw add allow tcp from 67.228.2.0/24 110,25,587,143 to ${rede_interna}
/sbin/ipfw add allow tcp from 75.126.195.0/24 110,25,587,143 to ${rede_interna}

# Libera EMAIL TASK Por DNS
/sbin/ipfw add allow tcp from ${rede_interna} to pop3.task.com.br,pop3.etiam.com.br,pop3.brfilms.com.br,pop3.amaralincorp.com.br 110,25,587,143
/sbin/ipfw add allow tcp from ${rede_interna} to smtp.task.com.br,smtp.etiam.com.br,smtp.brfilms.com.br,smtp.amaralincorp.com.br 110,25,587,143
/sbin/ipfw add allow tcp from pop3.task.com.br,pop3.etiam.com.br,pop3.brfilms.com.br,pop3.amaralincorp.com.br 110,25,587,143 to ${rede_interna}
/sbin/ipfw add allow tcp from pop3.task.com.br,pop3.etiam.com.br,pop3.brfilms.com.br,pop3.amaralincorp.com.br 110,25,587,143 to ${rede_interna}

# Deny ALL e gera LOG
sbin/ipfw add 65533 deny log logamount 10000 all from any to any
 
You must log in or register to reply here.
Back
Top