Re: PF filtering on MAC address
On Fri, Jan 11, 2013 at 12:56:47PM +, Alexey E. Suslikov wrote: Erling Westenvik erling.westenvik at gmail.com writes: Is it possible to have PF filter on MAC address on a machine with only one physical nic? I'm aware that MAC filtering can only be done on a machine configured as a bridge, but how to configure such a bridge? afaik, bridge(4) mac filtering only affects bridge forwarding. I think you can cook something using a bridge with a vether(4) as bridge member. Thanks. Using vether(4) for general bridging seem to work great. However; after trying to tag ethernet frames on five machines with different hardware and OpenBSD versions, I'm beginning to think that support for this is dodgy at best. FAQ http://www.openbsd.org/faq/faq6.html#Bridge states: Some NICs don't work properly in [Promiscuous] mode, the TI ThunderLAN chip (tl(4)) is an example of a chip that won't work as part of a bridge. Could this be related? Is there a list over these some NICs? So far I have tried testing on machines with dc(4), em(4), bge(4), iwi(4), iwn(4) and fxp(4). On some of the machines, pf will pass tagged frames from some of the other machines/segments but not from the others. On other machines, no tagged packets will pass at all. None of the machines will pass all tagged frames from all of the others. I know I'm putting myself poorly, so please ask me for more spesific information. Cheers, Erling
Re: PF filtering on MAC address
Erling Westenvik erling.westenvik at gmail.com writes: Is it possible to have PF filter on MAC address on a machine with only one physical nic? I'm aware that MAC filtering can only be done on a machine configured as a bridge, but how to configure such a bridge? afaik, bridge(4) mac filtering only affects bridge forwarding. I think you can cook something using a bridge with a vether(4) as bridge member. Cheers, Alexey
PF filtering on MAC address
Is it possible to have PF filter on MAC address on a machine with only one physical nic? I'm aware that MAC filtering can only be done on a machine configured as a bridge, but how to configure such a bridge? ---8--- # /etc/hostname.bridge0 add bge0 add ?? rule pass in on bge0 src f8:db:7f:4d:bb:10 tag WWW rule pass in on bge0 src 00:08:02:85:6c:90 tag SSH rule pass in on bge0 src 00:16:ea:b3:65:d0 tag SSH ---8--- Regards, Erling
Re: PF filtering on MAC address
On Thu, Jan 10, 2013 at 6:54 PM, Erling Westenvik erling.westen...@gmail.com wrote: Is it possible to have PF filter on MAC address on a machine with only one physical nic? I'm aware that MAC filtering can only be done on a machine configured as a bridge, but how to configure such a bridge? Add the single interface to the bridge. Tag the packets from a specific MAC. Filter the tag. ---8--- # /etc/hostname.bridge0 add bge0 add ?? rule pass in on bge0 src f8:db:7f:4d:bb:10 tag WWW rule pass in on bge0 src 00:08:02:85:6c:90 tag SSH rule pass in on bge0 src 00:16:ea:b3:65:d0 tag SSH ---8--- Regards, Erling