4. Ipfw layer 2 filter without start captive portal

Ipfw layer 2 filter without start captive portal

  • J

    Hello.

    A cli php script for allow or deny mac in interface, with ipfw and  without start captive portal.

    Use:
    Hosting ipfw_enable_and_block_or_allow_mac.php in one dir, for example /scripts

    For deny mac origin 08:00:27🇩🇪18:c3 to mac dst 00:0c:29:5d:96:f1 in interface em0

    Execute from shell:

    php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'deny'

    For allow:

    php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'allow'

    The code: /scripts/ipfw_enable_and_block_or_allow_mac.php

    
/*
By Javier Castañón - @javcasta - 2016
https://javcasta.com/ - PIyMenta

How to enable ipfw without start captive portal
in pfSense 2.3.X for filter layer 2 - block or allow mac
---------------------------------------
You see more code about ipfw in "/etc/inc/captiveportal.inc"
---------------------------------------
mac origin 00:0c:29:5d:96:f1 - ip 10.168.0.254
mac dst 08:00:27:de:18:c3 -ip 10.168.0.14 if=em0

ipfw -q add deny MAC 00:0c:29:5d:96:f1 08:00:27:de:18:c3 mac-type ip,ipv6
--------------------------------------
*/
require_once("functions.inc");
require_once("filter.inc");

//cli
  $interfaz = $argv[1];
  $macorigen = $argv[2];
  $macdestino = $argv[3];
  $action = $argv[4];

if (count($argv) == 0) {echo "No arguments.\n"; exit;}
if (count($argv) < 5) {echo "This script need 4 arguments, see the code.\n"; exit;}

//data example
/*
$interfaz = "em0";
$macorigen = "08:00:27:de:18:c3";
$macdestino = "00:0c:29:5d:96:f1";
$action = "allow"; //deny
*/

//call to function
$doit = ipfw_enable_and_block_or_allow_mac($interfaz, $macorigen, $macdestino, $action);

function ipfw_enable_and_block_or_allow_mac($lainterfaz, $lamacorigen, $lamacdestino, $laaction) {
	//mute_kernel_msgs();
  //load module ipfw if is not loaded
	if (!is_module_loaded("ipfw.ko")) {
		mwexec("/sbin/kldload ipfw");
		/* make sure ipfw is not on pfil hooks */
		set_sysctl(array(
			"net.inet.ip.pfil.inbound" => "pf", "net.inet6.ip6.pfil.inbound" => "pf",
			"net.inet.ip.pfil.outbound" => "pf", "net.inet6.ip6.pfil.outbound" => "pf")
		);
	}
	/* Activate layer2 filtering */
	set_sysctl(array("net.link.ether.ipfw" => "1", "net.inet.ip.fw.one_pass" => "1"));

	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
	if (!is_module_loaded("dummynet.ko")) {
		mwexec("/sbin/kldload dummynet");
		set_sysctl(array("net.inet.ip.dummynet.io_fast" => "1", "net.inet.ip.dummynet.hash_size" => "256"));
	}
  //create zone 111 -creamos la zona 111 - attention if already exist zone 111 this destroy before defined zone 111
  mwexec("/sbin/ipfw zone 111 create");
  //associate interface to zone - asociamos interfaz a la zona
  mwexec("/sbin/ipfw zone 111 madd $lainterfaz");
  //flush
  mwexec("/sbin/ipfw -x 111 -q flush"); 
  //add block o allow a la mac
  mwexec("/sbin/ipfw -x 111 -q add $laaction MAC $lamacdestino $lamacorigen mac-type ip,ipv6");
  //unmute_kernel_msgs();
  echo "Its $laaction the origin mac $lamacorigen to the dst mac $lamacdestino in interface $lainterfaz.\n";
}
?>

    Testing in pfSense 2.3.2 amd64

    Regards.

    ref: https://www.javcasta.com/pfsense-ipfw-layer-2-filter-sin-activar-portal-cautivo/

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy