Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ipfw layer 2 filter without start captive portal

    Firewalling
    1
    1
    1032
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      javcasta last edited by

      Hello.

      A cli php script for allow or deny mac in interface, with ipfw and  without start captive portal.

      Use:
      Hosting ipfw_enable_and_block_or_allow_mac.php in one dir, for example /scripts

      For deny mac origin 08:00:27🇩🇪18:c3 to mac dst 00:0c:29:5d:96:f1 in interface em0

      Execute from shell:

      php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'deny'
      
      

      For allow:

      php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'allow'
      

      The code: /scripts/ipfw_enable_and_block_or_allow_mac.php

      
      /*
      By Javier Castañón - @javcasta - 2016
      https://javcasta.com/ - PIyMenta
      
      How to enable ipfw without start captive portal
      in pfSense 2.3.X for filter layer 2 - block or allow mac
      ---------------------------------------
      You see more code about ipfw in "/etc/inc/captiveportal.inc"
      ---------------------------------------
      mac origin 00:0c:29:5d:96:f1 - ip 10.168.0.254
      mac dst 08:00:27:de:18:c3 -ip 10.168.0.14 if=em0
      
      ipfw -q add deny MAC 00:0c:29:5d:96:f1 08:00:27:de:18:c3 mac-type ip,ipv6
      --------------------------------------
      */
      require_once("functions.inc");
      require_once("filter.inc");
      
      //cli
        $interfaz = $argv[1];
        $macorigen = $argv[2];
        $macdestino = $argv[3];
        $action = $argv[4];
      
      if (count($argv) == 0) {echo "No arguments.\n"; exit;}
      if (count($argv) < 5) {echo "This script need 4 arguments, see the code.\n"; exit;}
      
      //data example
      /*
      $interfaz = "em0";
      $macorigen = "08:00:27:de:18:c3";
      $macdestino = "00:0c:29:5d:96:f1";
      $action = "allow"; //deny
      */
      
      //call to function
      $doit = ipfw_enable_and_block_or_allow_mac($interfaz, $macorigen, $macdestino, $action);
      
      function ipfw_enable_and_block_or_allow_mac($lainterfaz, $lamacorigen, $lamacdestino, $laaction) {
      	//mute_kernel_msgs();
        //load module ipfw if is not loaded
      	if (!is_module_loaded("ipfw.ko")) {
      		mwexec("/sbin/kldload ipfw");
      		/* make sure ipfw is not on pfil hooks */
      		set_sysctl(array(
      			"net.inet.ip.pfil.inbound" => "pf", "net.inet6.ip6.pfil.inbound" => "pf",
      			"net.inet.ip.pfil.outbound" => "pf", "net.inet6.ip6.pfil.outbound" => "pf")
      		);
      	}
      	/* Activate layer2 filtering */
      	set_sysctl(array("net.link.ether.ipfw" => "1", "net.inet.ip.fw.one_pass" => "1"));
      
      	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
      	if (!is_module_loaded("dummynet.ko")) {
      		mwexec("/sbin/kldload dummynet");
      		set_sysctl(array("net.inet.ip.dummynet.io_fast" => "1", "net.inet.ip.dummynet.hash_size" => "256"));
      	}
        //create zone 111 -creamos la zona 111 - attention if already exist zone 111 this destroy before defined zone 111
        mwexec("/sbin/ipfw zone 111 create");
        //associate interface to zone - asociamos interfaz a la zona
        mwexec("/sbin/ipfw zone 111 madd $lainterfaz");
        //flush
        mwexec("/sbin/ipfw -x 111 -q flush"); 
        //add block o allow a la mac
        mwexec("/sbin/ipfw -x 111 -q add $laaction MAC $lamacdestino $lamacorigen mac-type ip,ipv6");
        //unmute_kernel_msgs();
        echo "Its $laaction the origin mac $lamacorigen to the dst mac $lamacdestino in interface $lainterfaz.\n";
      }
      ?>
      
      

      Testing in pfSense 2.3.2 amd64

      Regards.

      ref: https://www.javcasta.com/pfsense-ipfw-layer-2-filter-sin-activar-portal-cautivo/

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense Plus
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy