Cesar wrote:
Hi,
I wanted to finish my firewall rules doing a "deny all from any to
any", but I can't do that with mac filtering at same time. Let me explain.
Since I use ipfw mac filter, I have the sysctl variable
"net.link.ether.ipfw: 1";
My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2.
An example of my rules:
00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any
00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any
65535 0 0 allow ip from any to any
This works fine, the rules 1 and 2 get some match when I do ping from
Windows box to FreeBSD.
After this test, I added the rule "65534 0 0 deny ip from any to any".
It still works, but after some time if I have no traffic from 10.0.0.2,
FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a",
I get :
? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet]
So, I can't ping my FreeBSD box anymore because it doesnt accept my arp
packets. I tried to log the deny rule and I get some lines telling "Deny
mac in".
I tried to add another rule before the deny all "ipfw add 100 allow mac
any any", but this rule become "allow ip from any to any MAC any any",
so I cant end my firewall rules with a "deny all from any to any".
Is this a problem? Are there any workaround for this?
I didnt tried to use a fixed arp table, but I will dont do that if not
necessary.
Thanks
Cesar
I had a similar problem before when I forgot to permit arp traffic on
layer2, so, I guess "mac-type arp" is not allowed to pass throught your
firewall. You may consider "allow mac-type arp layer2" in your firewall
somewhere or denying everything on L3 only, say "deny log all from any
to any not layer2"
--
Patrick Tracanelli
FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
[EMAIL PROTECTED]
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
