Hello all,
For recovery purposes, I'm interested in logging when certain MAC
addresses send traffic to our firewall. Understanding that MAC address
filtering is the province of brconfig plus tagging, I've setup the
following:
External interface: em0
Internal interface: em1
I setup the bridge using:
# brconfig bridge0 add em0 add em1 up
$ ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:40:48:b1:5c:e7
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 169.237.249.186 netmask 0xfffc broadcast 169.237.249.187
inet6 fe80::240:48ff:feb1:5ce7%em0 prefixlen 64 scopeid 0x1
em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:40:48:b1:5c:e8
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 169.237.195.126 netmask 0xff80 broadcast 169.237.195.127
inet6 fe80::240:48ff:feb1:5ce8%em1 prefixlen 64 scopeid 0x2
em2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
lladdr 00:40:48:b1:5c:e9
media: Ethernet autoselect (none)
status: no carrier
inet 128.120.137.224 netmask 0xff00 broadcast 128.120.137.255
inet6 fe80::240:48ff:feb1:5ce9%em2 prefixlen 64 scopeid 0x3
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
pfsync0: flags=0 mtu 1460
groups: carp
enc0: flags=0 mtu 1536
bridge0: flags=41UP,RUNNING mtu 1500
groups: bridge
Then I created /etc/br.conf:
$ cat /etc/br.conf
pass in on em0 src 00:19:b9:84:ac:0a tag laptop
pass in on em0 src 00:19:b9:84:ab:26 tag laptop
Then I created a corresponding rule in /etc/pf.conf:
pass in log on $ext_if tagged laptop label MAC filter
Then I loaded the br.conf rules using:
# sudo brconfig bridge0 rulefile /etc/br.conf
After which I see:
# $ brconfig bridge0 rules em0
bridge0: pass in on em0 src 00:19:b9:84:ac:0a tag laptop
bridge0: pass in on em0 src 00:19:b9:84:ab:26 tag laptop
Finally, I reload the pf.conf using pfctl -f /etc/pf.conf, and verify
the extra rule is active using pftop:
update
RULE LABELPKTS BYTES STATES MAX ACTIO DIR LOG Q IFPRK
0 Default block in 289 11966 0 Block In Log em0
1 Default block out 429 50832 0 Block Out Log em0
2 Default block in I 0 0 0 Block In
3 Private in 0 0 0 Block In Log Q em0
4 Private out25 1440 0 Block Out Log Q em0
5 Block Campus Scann 0 0 0 Block In
6 Reject auth for SM 0 0 0 Block In tcp
7 ICMP in 2120 0 Pass Inem0 icmp
8 MAC filter 0 0 0 Pass In Log
Unfortunately, I'm still not seeing any packets getting logged, even
when we reconnect using machines with those MAC addresses.
What am I doing wrong?
--
Invincibility is in oneself, vulnerability in the opponent. -- Sun Tzu