Ipfw layer 2 filter without start captive portal

  • Hello.

    A cli php script for allow or deny mac in interface, with ipfw and  without start captive portal.

    Hosting ipfw_enable_and_block_or_allow_mac.php in one dir, for example /scripts

    For deny mac origin 08:00:27🇩🇪18:c3 to mac dst 00:0c:29:5d:96:f1 in interface em0

    Execute from shell:

    php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'deny'

    For allow:

    php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'allow'

    The code: /scripts/ipfw_enable_and_block_or_allow_mac.php

    By Javier Castañón - @javcasta - 2016
    https://javcasta.com/ - PIyMenta
    How to enable ipfw without start captive portal
    in pfSense 2.3.X for filter layer 2 - block or allow mac
    You see more code about ipfw in "/etc/inc/captiveportal.inc"
    mac origin 00:0c:29:5d:96:f1 - ip
    mac dst 08:00:27:de:18:c3 -ip if=em0
    ipfw -q add deny MAC 00:0c:29:5d:96:f1 08:00:27:de:18:c3 mac-type ip,ipv6
      $interfaz = $argv[1];
      $macorigen = $argv[2];
      $macdestino = $argv[3];
      $action = $argv[4];
    if (count($argv) == 0) {echo "No arguments.\n"; exit;}
    if (count($argv) < 5) {echo "This script need 4 arguments, see the code.\n"; exit;}
    //data example
    $interfaz = "em0";
    $macorigen = "08:00:27:de:18:c3";
    $macdestino = "00:0c:29:5d:96:f1";
    $action = "allow"; //deny
    //call to function
    $doit = ipfw_enable_and_block_or_allow_mac($interfaz, $macorigen, $macdestino, $action);
    function ipfw_enable_and_block_or_allow_mac($lainterfaz, $lamacorigen, $lamacdestino, $laaction) {
      //load module ipfw if is not loaded
    	if (!is_module_loaded("ipfw.ko")) {
    		mwexec("/sbin/kldload ipfw");
    		/* make sure ipfw is not on pfil hooks */
    			"net.inet.ip.pfil.inbound" => "pf", "net.inet6.ip6.pfil.inbound" => "pf",
    			"net.inet.ip.pfil.outbound" => "pf", "net.inet6.ip6.pfil.outbound" => "pf")
    	/* Activate layer2 filtering */
    	set_sysctl(array("net.link.ether.ipfw" => "1", "net.inet.ip.fw.one_pass" => "1"));
    	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
    	if (!is_module_loaded("dummynet.ko")) {
    		mwexec("/sbin/kldload dummynet");
    		set_sysctl(array("net.inet.ip.dummynet.io_fast" => "1", "net.inet.ip.dummynet.hash_size" => "256"));
      //create zone 111 -creamos la zona 111 - attention if already exist zone 111 this destroy before defined zone 111
      mwexec("/sbin/ipfw zone 111 create");
      //associate interface to zone - asociamos interfaz a la zona
      mwexec("/sbin/ipfw zone 111 madd $lainterfaz");
      mwexec("/sbin/ipfw -x 111 -q flush"); 
      //add block o allow a la mac
      mwexec("/sbin/ipfw -x 111 -q add $laaction MAC $lamacdestino $lamacorigen mac-type ip,ipv6");
      echo "Its $laaction the origin mac $lamacorigen to the dst mac $lamacdestino in interface $lainterfaz.\n";

    Testing in pfSense 2.3.2 amd64


    ref: https://www.javcasta.com/pfsense-ipfw-layer-2-filter-sin-activar-portal-cautivo/

Log in to reply