Ipfw layer 2 filter without start captive portal
-
Hello.
A cli php script for allow or deny mac in interface, with ipfw and without start captive portal.
Use:
Hosting ipfw_enable_and_block_or_allow_mac.php in one dir, for example /scriptsFor deny mac origin 08:00:2718:c3 to mac dst 00:0c:29:5d:96:f1 in interface em0
Execute from shell:
php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'deny'
For allow:
php /scripts/ipfw_enable_and_block_or_allow_mac.php 'em0' '08:00:27:de:18:c3' '00:0c:29:5d:96:f1' 'allow'
The code: /scripts/ipfw_enable_and_block_or_allow_mac.php
/* By Javier Castañón - @javcasta - 2016 https://javcasta.com/ - PIyMenta How to enable ipfw without start captive portal in pfSense 2.3.X for filter layer 2 - block or allow mac --------------------------------------- You see more code about ipfw in "/etc/inc/captiveportal.inc" --------------------------------------- mac origin 00:0c:29:5d:96:f1 - ip 10.168.0.254 mac dst 08:00:27:de:18:c3 -ip 10.168.0.14 if=em0 ipfw -q add deny MAC 00:0c:29:5d:96:f1 08:00:27:de:18:c3 mac-type ip,ipv6 -------------------------------------- */ require_once("functions.inc"); require_once("filter.inc"); //cli $interfaz = $argv[1]; $macorigen = $argv[2]; $macdestino = $argv[3]; $action = $argv[4]; if (count($argv) == 0) {echo "No arguments.\n"; exit;} if (count($argv) < 5) {echo "This script need 4 arguments, see the code.\n"; exit;} //data example /* $interfaz = "em0"; $macorigen = "08:00:27:de:18:c3"; $macdestino = "00:0c:29:5d:96:f1"; $action = "allow"; //deny */ //call to function $doit = ipfw_enable_and_block_or_allow_mac($interfaz, $macorigen, $macdestino, $action); function ipfw_enable_and_block_or_allow_mac($lainterfaz, $lamacorigen, $lamacdestino, $laaction) { //mute_kernel_msgs(); //load module ipfw if is not loaded if (!is_module_loaded("ipfw.ko")) { mwexec("/sbin/kldload ipfw"); /* make sure ipfw is not on pfil hooks */ set_sysctl(array( "net.inet.ip.pfil.inbound" => "pf", "net.inet6.ip6.pfil.inbound" => "pf", "net.inet.ip.pfil.outbound" => "pf", "net.inet6.ip6.pfil.outbound" => "pf") ); } /* Activate layer2 filtering */ set_sysctl(array("net.link.ether.ipfw" => "1", "net.inet.ip.fw.one_pass" => "1")); /* Always load dummynet now that even allowed ip and mac passthrough use it. */ if (!is_module_loaded("dummynet.ko")) { mwexec("/sbin/kldload dummynet"); set_sysctl(array("net.inet.ip.dummynet.io_fast" => "1", "net.inet.ip.dummynet.hash_size" => "256")); } //create zone 111 -creamos la zona 111 - attention if already exist zone 111 this destroy before defined zone 111 mwexec("/sbin/ipfw zone 111 create"); //associate interface to zone - asociamos interfaz a la zona mwexec("/sbin/ipfw zone 111 madd $lainterfaz"); //flush mwexec("/sbin/ipfw -x 111 -q flush"); //add block o allow a la mac mwexec("/sbin/ipfw -x 111 -q add $laaction MAC $lamacdestino $lamacorigen mac-type ip,ipv6"); //unmute_kernel_msgs(); echo "Its $laaction the origin mac $lamacorigen to the dst mac $lamacdestino in interface $lainterfaz.\n"; } ?>
Testing in pfSense 2.3.2 amd64
Regards.
ref: https://www.javcasta.com/pfsense-ipfw-layer-2-filter-sin-activar-portal-cautivo/