Ipfw layer 2 filter without start captive portal

javcasta

Hello.

A cli php script for allow or deny mac in interface, with ipfw and  without start captive portal.

Use:
Hosting ipfw_enable_and_block_or_allow_mac.php in one dir, for example /scripts

For deny mac origin 08:00:2718:c3 to mac dst 00:0c:29:5d:96:f1 in interface em0

Execute from shell:

php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'deny'

For allow:

php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'allow'

The code: /scripts/ipfw_enable_and_block_or_allow_mac.php

/*
By Javier Castañón - @javcasta - 2016
https://javcasta.com/ - PIyMenta

How to enable ipfw without start captive portal
in pfSense 2.3.X for filter layer 2 - block or allow mac
---------------------------------------
You see more code about ipfw in "/etc/inc/captiveportal.inc"
---------------------------------------
mac origin 00:0c:29:5d:96:f1 - ip 10.168.0.254
mac dst 08:00:27:de:18:c3 -ip 10.168.0.14 if=em0

ipfw -q add deny MAC 00:0c:29:5d:96:f1 08:00:27:de:18:c3 mac-type ip,ipv6
--------------------------------------
*/
require_once("functions.inc");
require_once("filter.inc");

//cli
  $interfaz = $argv[1];
  $macorigen = $argv[2];
  $macdestino = $argv[3];
  $action = $argv[4];

if (count($argv) == 0) {echo "No arguments.\n"; exit;}
if (count($argv) < 5) {echo "This script need 4 arguments, see the code.\n"; exit;}

//data example
/*
$interfaz = "em0";
$macorigen = "08:00:27:de:18:c3";
$macdestino = "00:0c:29:5d:96:f1";
$action = "allow"; //deny
*/

//call to function
$doit = ipfw_enable_and_block_or_allow_mac($interfaz, $macorigen, $macdestino, $action);

function ipfw_enable_and_block_or_allow_mac($lainterfaz, $lamacorigen, $lamacdestino, $laaction) {
	//mute_kernel_msgs();
  //load module ipfw if is not loaded
	if (!is_module_loaded("ipfw.ko")) {
		mwexec("/sbin/kldload ipfw");
		/* make sure ipfw is not on pfil hooks */
		set_sysctl(array(
			"net.inet.ip.pfil.inbound" => "pf", "net.inet6.ip6.pfil.inbound" => "pf",
			"net.inet.ip.pfil.outbound" => "pf", "net.inet6.ip6.pfil.outbound" => "pf")
		);
	}
	/* Activate layer2 filtering */
	set_sysctl(array("net.link.ether.ipfw" => "1", "net.inet.ip.fw.one_pass" => "1"));

	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
	if (!is_module_loaded("dummynet.ko")) {
		mwexec("/sbin/kldload dummynet");
		set_sysctl(array("net.inet.ip.dummynet.io_fast" => "1", "net.inet.ip.dummynet.hash_size" => "256"));
	}
  //create zone 111 -creamos la zona 111 - attention if already exist zone 111 this destroy before defined zone 111
  mwexec("/sbin/ipfw zone 111 create");
  //associate interface to zone - asociamos interfaz a la zona
  mwexec("/sbin/ipfw zone 111 madd $lainterfaz");
  //flush
  mwexec("/sbin/ipfw -x 111 -q flush"); 
  //add block o allow a la mac
  mwexec("/sbin/ipfw -x 111 -q add $laaction MAC $lamacdestino $lamacorigen mac-type ip,ipv6");
  //unmute_kernel_msgs();
  echo "Its $laaction the origin mac $lamacorigen to the dst mac $lamacdestino in interface $lainterfaz.\n";
}
?>

Testing in pfSense 2.3.2 amd64

Regards.

ref: https://www.javcasta.com/pfsense-ipfw-layer-2-filter-sin-activar-portal-cautivo/