How to make pfsense to be MAC+IP firewall ?
-
I use pfsense create a bridge ( opt1 + opt 2) ,
I want to config firewall rules , which only the PC that it's "MAC" with "IP" match in firewall rules can permit pass pfsense bridge ,
can someone show me this ?
for example:
whetn , 192.168.0.100 + 00:24:01:25:ed:ae is pfsense rules , ,that is PC can permit pass pfsense bridge .
-
Maybe this fits your needs: http://forum.pfsense.org/index.php/topic,49917.0.html
-
I use pfsense create a bridge ( opt1 + opt 2) ,
I want to config firewall rules , which only the PC that it's "MAC" with "IP" match in firewall rules can permit pass pfsense bridge ,
can someone show me this ?
for example:
whetn , 192.168.0.100 + 00:24:01:25:ed:ae is pfsense rules , ,that is PC can permit pass pfsense bridge .
The ipfw firewall does what you want. The easiest way to get ipfw running on pfSense is to turn on the captive portal. Unfortunately - then you are running the captive portal…
What I ended up doing was turning on the captive portal with a zone that does nothing. I called it "dummy". Then I created my own set of rules that execute before the captive portal rules. All traffic is either passed or dropped before getting to the captive portal rules. I slightly modified the "captiveportal.inc" file to include my rules by executing a shell script that writes my rules to standard out. The shell script is executed within captiveportal.inc when it is building the ipfw rules. The patch for captiveportal.inc is attached.
--- /home/rjcrowder/dev/pfsense_2.1/base_mods/etc/inc//captiveportal.inc 2013-07-31 19:19:27.029646791 -0400 +++ /home/rjcrowder/dev/pfsense_2.1/base_mods/etc/inc//captiveportal.inc.new 2013-07-31 19:19:02.193645849 -0400 @@ -565,6 +565,12 @@ EOD; + /* RJC - 01.15.2013 - Custom rules to be added */ + /* begin modification */ + $customrules = shell_exec('/usr/local/ipfw_custom_rules/ipfw_custom_rules'); + $cprules .= $customrules; + /* end modification */ + /* generate passthru mac database */ $cprules .= captiveportal_passthrumac_configure(true); $cprules .= "\n";
-
Some further info… if you turn on the captiveportal by creating a zone called "dummy" then do "ipfw -x dummy list" this is what you will see...
65291 allow pfsync from any to any 65292 allow carp from any to any 65301 allow ip from any to any layer2 mac-type 0x0806,0x8035 65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7 65303 allow ip from any to any layer2 mac-type 0x8863,0x8864 65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd 65310 allow ip from any to { 255.255.255.255 or 192.168.5.1 } in 65311 allow ip from { 255.255.255.255 or 192.168.5.1 } to any out 65312 allow icmp from { 255.255.255.255 or 192.168.5.1 } to any out icmptypes 0 65313 allow icmp from any to { 255.255.255.255 or 192.168.5.1 } in icmptypes 8 65314 pipe tablearg ip from table(3) to any in 65315 pipe tablearg ip from any to table(4) in 65316 pipe tablearg ip from table(3) to any out 65317 pipe tablearg ip from any to table(4) out 65318 pipe tablearg ip from table(1) to any in 65319 pipe tablearg ip from any to table(2) out 65532 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in 65533 allow tcp from any to any out 65534 deny ip from any to any 65535 allow ip from any to any
This is the output of my shell script (writes to standard out).
add 10 set 20 skipto 1000 all from any to any layer2 in recv em0 add 11 set 20 skipto 2000 all from any to any not layer2 add 12 set 20 skipto 2000 all from any to any layer2 add 1000 set 20 skipto 1100 ip from 192.168.5.224/28 to any add 1001 set 20 skipto 2000 ip from any to any add 1100 set 20 skipto 2000 all from 192.168.5.128 to any MAC any 00:24:d7:98:b4:cc add 1101 set 20 skipto 2000 all from 192.168.5.129 to any MAC any 24:77:03:23:3c:e4 add 1102 set 20 skipto 2000 all from 192.168.5.130 to any MAC any 5c:da:d4:2a:ae:65 add 1103 set 20 skipto 2000 all from 192.168.5.136 to any MAC any e0:f8:47:0b:d5:20 add 1104 set 20 skipto 2000 all from 192.168.5.137 to any MAC any cc:78:5f:61:7b:b4 add 1105 set 20 skipto 2000 all from 192.168.5.144 to any MAC any 68:a8:6d:27:3f:d8 add 1106 set 20 skipto 2000 all from 192.168.5.145 to any MAC any 38:0f:4a:02:db:db add 1107 set 20 skipto 2000 all from 192.168.5.153 to any MAC any 4c:eb:42:01:1e:63 add 1108 set 20 skipto 2000 all from 192.168.5.154 to any MAC any 00:c6:10:ee:a9:ef add 1109 set 20 skipto 2000 all from 192.168.5.160 to any MAC any 00:18:de:b4:3a:b4 add 1110 set 20 skipto 2000 all from 192.168.5.161 to any MAC any 00:25:bc:eb:d1:e9 add 1111 set 20 skipto 2000 all from 192.168.5.168 to any MAC any 00:21:5c:99:45:bf add 1112 set 20 skipto 2000 all from 192.168.5.169 to any MAC any 00:26:08:0f:53:fd add 1113 set 20 skipto 2000 all from 192.168.5.170 to any MAC any 14:10:9f:49:f8:66 add 1114 set 20 skipto 2000 all from 192.168.5.176 to any MAC any 30:f7:c5:a1:89:c1 add 1115 set 20 skipto 2000 all from 192.168.5.177 to any MAC any 98:fe:94:a6:32:89 add 1116 set 20 skipto 2000 all from 192.168.5.178 to any MAC any 00:25:56:b5:6b:3e add 1117 set 20 skipto 2000 all from 192.168.5.184 to any MAC any 00:40:f4:a0:27:25 add 1118 set 20 skipto 2000 all from 192.168.5.208 to any MAC any 00:22:58:7b:85:97 add 1119 set 20 skipto 2000 all from 192.168.5.209 to any MAC any 00:1c:c0:8c:83:5f add 1120 set 20 skipto 2000 all from 192.168.5.224 to any MAC any f8:d1:11:5a:be:5e add 1121 set 20 skipto 2000 all from 192.168.5.225 to any MAC any 00:0d:4b:bd:d1:61 add 1122 set 20 skipto 2000 all from 192.168.5.226 to any MAC any 00:0d:4b:df:c1:3d add 1123 set 20 skipto 2000 all from 192.168.5.227 to any MAC any cc:6d:a0:1f:a5:11 add 1124 set 20 skipto 2000 all from 192.168.5.228 to any MAC any 00:0d:4b:e8:1e:59 add 1125 set 20 skipto 2000 all from 192.168.5.229 to any MAC any ec:88:8f:dc:8f:6a add 1126 set 20 skipto 2000 all from 192.168.5.232 to any MAC any f8:d1:11:7f:4e:4e add 1127 set 20 deny ip from any to any add 2000 set 20 allow ip from any to any
After the additional rules are added by captiveportal.inc as I described in the previous post… this is what I end up with (again doing ipfw -x dummy list). You can see that rule 2000 allows all traffic through before the captiveportal rules are executed. Obviously, you could execute your own rules and still allow the captive portal to function if you wanted to.
00010 skipto 1000 ip from any to any layer2 in recv em0 00011 skipto 2000 ip from any to any not layer2 00012 skipto 2000 ip from any to any layer2 01000 skipto 1100 ip from 192.168.5.224/28 to any 01001 skipto 2000 ip from any to any 01100 skipto 2000 ip from 192.168.5.128 to any MAC any 00:24:d7:98:b4:cc 01101 skipto 2000 ip from 192.168.5.129 to any MAC any 24:77:03:23:3c:e4 01102 skipto 2000 ip from 192.168.5.130 to any MAC any 5c:da:d4:2a:ae:65 01103 skipto 2000 ip from 192.168.5.136 to any MAC any e0:f8:47:0b:d5:20 01104 skipto 2000 ip from 192.168.5.137 to any MAC any cc:78:5f:61:7b:b4 01105 skipto 2000 ip from 192.168.5.144 to any MAC any 68:a8:6d:27:3f:d8 01106 skipto 2000 ip from 192.168.5.145 to any MAC any 38:0f:4a:02:db:db 01107 skipto 2000 ip from 192.168.5.153 to any MAC any 4c:eb:42:01:1e:63 01108 skipto 2000 ip from 192.168.5.154 to any MAC any 00:c6:10:ee:a9:ef 01109 skipto 2000 ip from 192.168.5.160 to any MAC any 00:18:de:b4:3a:b4 01110 skipto 2000 ip from 192.168.5.161 to any MAC any 00:25:bc:eb:d1:e9 01111 skipto 2000 ip from 192.168.5.168 to any MAC any 00:21:5c:99:45:bf 01112 skipto 2000 ip from 192.168.5.169 to any MAC any 00:26:08:0f:53:fd 01113 skipto 2000 ip from 192.168.5.170 to any MAC any 14:10:9f:49:f8:66 01114 skipto 2000 ip from 192.168.5.176 to any MAC any 30:f7:c5:a1:89:c1 01115 skipto 2000 ip from 192.168.5.177 to any MAC any 98:fe:94:a6:32:89 01116 skipto 2000 ip from 192.168.5.178 to any MAC any 00:25:56:b5:6b:3e 01117 skipto 2000 ip from 192.168.5.184 to any MAC any 00:40:f4:a0:27:25 01118 skipto 2000 ip from 192.168.5.208 to any MAC any 00:22:58:7b:85:97 01119 skipto 2000 ip from 192.168.5.209 to any MAC any 00:1c:c0:8c:83:5f 01120 skipto 2000 ip from 192.168.5.224 to any MAC any f8:d1:11:5a:be:5e 01121 skipto 2000 ip from 192.168.5.225 to any MAC any 00:0d:4b:bd:d1:61 01122 skipto 2000 ip from 192.168.5.226 to any MAC any 00:0d:4b:df:c1:3d 01123 skipto 2000 ip from 192.168.5.227 to any MAC any cc:6d:a0:1f:a5:11 01124 skipto 2000 ip from 192.168.5.228 to any MAC any 00:0d:4b:e8:1e:59 01125 skipto 2000 ip from 192.168.5.229 to any MAC any ec:88:8f:dc:8f:6a 01126 skipto 2000 ip from 192.168.5.232 to any MAC any f8:d1:11:7f:4e:4e 01127 deny ip from any to any 02000 allow ip from any to any 65291 allow pfsync from any to any 65292 allow carp from any to any 65301 allow ip from any to any layer2 mac-type 0x0806,0x8035 65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7 65303 allow ip from any to any layer2 mac-type 0x8863,0x8864 65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd 65310 allow ip from any to { 255.255.255.255 or 192.168.5.1 } in 65311 allow ip from { 255.255.255.255 or 192.168.5.1 } to any out 65312 allow icmp from { 255.255.255.255 or 192.168.5.1 } to any out icmptypes 0 65313 allow icmp from any to { 255.255.255.255 or 192.168.5.1 } in icmptypes 8 65314 pipe tablearg ip from table(3) to any in 65315 pipe tablearg ip from any to table(4) in 65316 pipe tablearg ip from table(3) to any out 65317 pipe tablearg ip from any to table(4) out 65318 pipe tablearg ip from table(1) to any in 65319 pipe tablearg ip from any to table(2) out 65532 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in 65533 allow tcp from any to any out 65534 deny ip from any to any 65535 allow ip from any to any