Re: MAC address filtering

2010-11-08 Thread Claudio Jeker 
On Mon, Nov 08, 2010 at 02:07:20PM +0700, Insan Praja SW wrote:
 Dear Misc@,
 Sorry on the previous message, wrong button pressed.
 to be continue, I will setup a bridge with only an interface that
 facing my office, and tag it in accordance to ifconfig(8). In pf
 I'll simply pass this.
 
 Can I do that?
 

It could work. I think the needed bridge_filterrule() calls are in the
right place so that local traffic is tagged as well. If a bridge with a
single interface fails, you could try one with vether(4).

-- 
:wq Claudio

Re: MAC address filtering

2010-11-08 Thread Insan Praja SW 
On Mon, 08 Nov 2010 15:29:28 +0700, Claudio Jeker  
cje...@diehard.n-r-g.com wrote:



On Mon, Nov 08, 2010 at 02:07:20PM +0700, Insan Praja SW wrote:

Dear Misc@,
Sorry on the previous message, wrong button pressed.
to be continue, I will setup a bridge with only an interface that
facing my office, and tag it in accordance to ifconfig(8). In pf
I'll simply pass this.

Can I do that?



It could work. I think the needed bridge_filterrule() calls are in the
right place so that local traffic is tagged as well. If a bridge with a
single interface fails, you could try one with vether(4).



Thanks Claudio, OTOH, why not simply make hostname.ifname has  
hostname.bridgename capability to tags packet? But this is entirely up to  
the devs, and I'm happy enough to use bridge to do this.



Best Regards,


Insan Praja
--
Using Opera's revolutionary email client: http://www.opera.com/mail/

MAC address filtering

2010-11-07 Thread Insan Praja SW 

Dear Misc@,
Sorry on the previous message, wrong button pressed.
to be continue, I will setup a bridge with only an interface that facing  
my office, and tag it in accordance to ifconfig(8). In pf I'll simply pass  
this.


Can I do that?

Thanks,

Insan Praja
--
Using Opera's revolutionary email client: http://www.opera.com/mail/

MAC address filtering with brconfig + pf

2008-05-19 Thread Adam Getchell 
Hello all,

For recovery purposes, I'm interested in logging when certain MAC
addresses send traffic to our firewall. Understanding that MAC address
filtering is the province of brconfig plus tagging, I've setup the
following:

External interface: em0
Internal interface: em1

I setup the bridge using:

# brconfig bridge0 add em0 add em1 up

$ ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
   groups: lo
   inet 127.0.0.1 netmask 0xff00
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:40:48:b1:5c:e7
   groups: egress
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet 169.237.249.186 netmask 0xfffc broadcast 169.237.249.187
   inet6 fe80::240:48ff:feb1:5ce7%em0 prefixlen 64 scopeid 0x1
em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:40:48:b1:5c:e8
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet 169.237.195.126 netmask 0xff80 broadcast 169.237.195.127
   inet6 fe80::240:48ff:feb1:5ce8%em1 prefixlen 64 scopeid 0x2
em2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:40:48:b1:5c:e9
   media: Ethernet autoselect (none)
   status: no carrier
   inet 128.120.137.224 netmask 0xff00 broadcast 128.120.137.255
   inet6 fe80::240:48ff:feb1:5ce9%em2 prefixlen 64 scopeid 0x3
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
pfsync0: flags=0 mtu 1460
   groups: carp
enc0: flags=0 mtu 1536
bridge0: flags=41UP,RUNNING mtu 1500
   groups: bridge

Then I created /etc/br.conf:

$ cat /etc/br.conf
pass in on em0 src 00:19:b9:84:ac:0a tag laptop
pass in on em0 src 00:19:b9:84:ab:26 tag laptop

Then I created a corresponding rule in /etc/pf.conf:

pass in log on $ext_if tagged laptop label MAC filter

Then I loaded the br.conf rules using:

# sudo brconfig bridge0 rulefile /etc/br.conf

After which I see:

# $ brconfig bridge0 rules em0
bridge0: pass in on em0 src 00:19:b9:84:ac:0a tag laptop
bridge0: pass in on em0 src 00:19:b9:84:ab:26 tag laptop

Finally, I reload the pf.conf using pfctl -f /etc/pf.conf, and verify
the extra rule is active using pftop:

update
RULE LABELPKTS  BYTES STATES   MAX ACTIO DIR LOG Q IFPRK
  0 Default block in  289  11966  0   Block In  Log   em0
  1 Default block out 429  50832  0   Block Out Log   em0
  2 Default block in I  0  0  0   Block In
  3 Private in  0  0  0   Block In  Log Q em0
  4 Private out25   1440  0   Block Out Log Q em0
  5 Block Campus Scann  0  0  0   Block In
  6 Reject auth for SM  0  0  0   Block In  tcp
  7 ICMP in 2120  0   Pass  Inem0   icmp
  8 MAC filter  0  0  0   Pass  In  Log

Unfortunately, I'm still not seeing any packets getting logged, even
when we reconnect using machines with those MAC addresses.

What am I doing wrong?


-- 
Invincibility is in oneself, vulnerability in the opponent. -- Sun Tzu