How to make pfsense to be MAC+IP firewall ?



  • I use pfsense create a bridge ( opt1 + opt 2) ,

    I want to config firewall rules , which  only the PC  that  it's  "MAC" with  "IP"  match  in firewall rules can permit pass pfsense bridge ,

    can someone show me this ?

    for example:

    whetn , 192.168.0.100  +  00:24:01:25:ed:ae    is pfsense rules ,  ,that is PC  can permit pass pfsense bridge .


  • Rebel Alliance



  • @kasaku:

    I use pfsense create a bridge ( opt1 + opt 2) ,

    I want to config firewall rules , which  only the PC  that  it's  "MAC" with  "IP"  match  in firewall rules can permit pass pfsense bridge ,

    can someone show me this ?

    for example:

    whetn , 192.168.0.100  +  00:24:01:25:ed:ae    is pfsense rules ,  ,that is PC  can permit pass pfsense bridge .

    The ipfw firewall does what you want. The easiest way to get ipfw running on pfSense is to turn on the captive portal. Unfortunately - then you are running the captive portal…

    What I ended up doing was turning on the captive portal with a zone that does nothing.  I called it "dummy". Then I created my own set of rules that execute before the captive portal rules. All traffic is either passed or dropped before getting to the captive portal rules. I slightly modified the "captiveportal.inc" file to include my rules by executing a shell script that writes my rules to standard out. The shell script is executed within captiveportal.inc when it is building the ipfw rules.  The patch for captiveportal.inc is attached.

    --- /home/rjcrowder/dev/pfsense_2.1/base_mods/etc/inc//captiveportal.inc	2013-07-31 19:19:27.029646791 -0400
    +++ /home/rjcrowder/dev/pfsense_2.1/base_mods/etc/inc//captiveportal.inc.new	2013-07-31 19:19:02.193645849 -0400
    @@ -565,6 +565,12 @@
    
     EOD;
    
    +	/* RJC - 01.15.2013 - Custom rules to be added */
    +	/* begin modification */
    +	$customrules = shell_exec('/usr/local/ipfw_custom_rules/ipfw_custom_rules');
    +        $cprules .= $customrules;
    +	/* end modification */
    +
     	/* generate passthru mac database */
     	$cprules .= captiveportal_passthrumac_configure(true);
     	$cprules .= "\n";
    
    


  • Some further info… if you turn on the captiveportal by creating a zone called "dummy" then do "ipfw -x dummy list" this is what you will see...

    65291 allow pfsync from any to any
    65292 allow carp from any to any
    65301 allow ip from any to any layer2 mac-type 0x0806,0x8035
    65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7
    65303 allow ip from any to any layer2 mac-type 0x8863,0x8864
    65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
    65310 allow ip from any to { 255.255.255.255 or 192.168.5.1 } in
    65311 allow ip from { 255.255.255.255 or 192.168.5.1 } to any out
    65312 allow icmp from { 255.255.255.255 or 192.168.5.1 } to any out icmptypes 0
    65313 allow icmp from any to { 255.255.255.255 or 192.168.5.1 } in icmptypes 8
    65314 pipe tablearg ip from table(3) to any in
    65315 pipe tablearg ip from any to table(4) in
    65316 pipe tablearg ip from table(3) to any out
    65317 pipe tablearg ip from any to table(4) out
    65318 pipe tablearg ip from table(1) to any in
    65319 pipe tablearg ip from any to table(2) out
    65532 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
    65533 allow tcp from any to any out
    65534 deny ip from any to any
    65535 allow ip from any to any
    
    

    This is the output of my shell script (writes to standard out).

    add 10 set 20 skipto 1000 all from any to any layer2 in recv em0
    add 11 set 20 skipto 2000 all from any to any not layer2
    add 12 set 20 skipto 2000 all from any to any layer2
    add 1000 set 20 skipto 1100 ip from 192.168.5.224/28 to any
    add 1001 set 20 skipto 2000 ip from any to any
    add 1100 set 20 skipto 2000 all from 192.168.5.128 to any MAC any 00:24:d7:98:b4:cc
    add 1101 set 20 skipto 2000 all from 192.168.5.129 to any MAC any 24:77:03:23:3c:e4
    add 1102 set 20 skipto 2000 all from 192.168.5.130 to any MAC any 5c:da:d4:2a:ae:65
    add 1103 set 20 skipto 2000 all from 192.168.5.136 to any MAC any e0:f8:47:0b:d5:20
    add 1104 set 20 skipto 2000 all from 192.168.5.137 to any MAC any cc:78:5f:61:7b:b4
    add 1105 set 20 skipto 2000 all from 192.168.5.144 to any MAC any 68:a8:6d:27:3f:d8
    add 1106 set 20 skipto 2000 all from 192.168.5.145 to any MAC any 38:0f:4a:02:db:db
    add 1107 set 20 skipto 2000 all from 192.168.5.153 to any MAC any 4c:eb:42:01:1e:63
    add 1108 set 20 skipto 2000 all from 192.168.5.154 to any MAC any 00:c6:10:ee:a9:ef
    add 1109 set 20 skipto 2000 all from 192.168.5.160 to any MAC any 00:18:de:b4:3a:b4
    add 1110 set 20 skipto 2000 all from 192.168.5.161 to any MAC any 00:25:bc:eb:d1:e9
    add 1111 set 20 skipto 2000 all from 192.168.5.168 to any MAC any 00:21:5c:99:45:bf
    add 1112 set 20 skipto 2000 all from 192.168.5.169 to any MAC any 00:26:08:0f:53:fd
    add 1113 set 20 skipto 2000 all from 192.168.5.170 to any MAC any 14:10:9f:49:f8:66
    add 1114 set 20 skipto 2000 all from 192.168.5.176 to any MAC any 30:f7:c5:a1:89:c1
    add 1115 set 20 skipto 2000 all from 192.168.5.177 to any MAC any 98:fe:94:a6:32:89
    add 1116 set 20 skipto 2000 all from 192.168.5.178 to any MAC any 00:25:56:b5:6b:3e
    add 1117 set 20 skipto 2000 all from 192.168.5.184 to any MAC any 00:40:f4:a0:27:25
    add 1118 set 20 skipto 2000 all from 192.168.5.208 to any MAC any 00:22:58:7b:85:97
    add 1119 set 20 skipto 2000 all from 192.168.5.209 to any MAC any 00:1c:c0:8c:83:5f
    add 1120 set 20 skipto 2000 all from 192.168.5.224 to any MAC any f8:d1:11:5a:be:5e
    add 1121 set 20 skipto 2000 all from 192.168.5.225 to any MAC any 00:0d:4b:bd:d1:61
    add 1122 set 20 skipto 2000 all from 192.168.5.226 to any MAC any 00:0d:4b:df:c1:3d
    add 1123 set 20 skipto 2000 all from 192.168.5.227 to any MAC any cc:6d:a0:1f:a5:11
    add 1124 set 20 skipto 2000 all from 192.168.5.228 to any MAC any 00:0d:4b:e8:1e:59
    add 1125 set 20 skipto 2000 all from 192.168.5.229 to any MAC any ec:88:8f:dc:8f:6a
    add 1126 set 20 skipto 2000 all from 192.168.5.232 to any MAC any f8:d1:11:7f:4e:4e
    add 1127 set 20 deny ip from any to any
    add 2000 set 20 allow ip from any to any
    
    

    After the additional rules are added by captiveportal.inc as I described in the previous post… this is what I end up with (again doing ipfw -x dummy list). You can see that rule 2000 allows all traffic through before the captiveportal rules are executed. Obviously, you could execute your own rules and still allow the captive portal to function if you wanted to.

    00010 skipto 1000 ip from any to any layer2 in recv em0
    00011 skipto 2000 ip from any to any not layer2
    00012 skipto 2000 ip from any to any layer2
    01000 skipto 1100 ip from 192.168.5.224/28 to any
    01001 skipto 2000 ip from any to any
    01100 skipto 2000 ip from 192.168.5.128 to any MAC any 00:24:d7:98:b4:cc
    01101 skipto 2000 ip from 192.168.5.129 to any MAC any 24:77:03:23:3c:e4
    01102 skipto 2000 ip from 192.168.5.130 to any MAC any 5c:da:d4:2a:ae:65
    01103 skipto 2000 ip from 192.168.5.136 to any MAC any e0:f8:47:0b:d5:20
    01104 skipto 2000 ip from 192.168.5.137 to any MAC any cc:78:5f:61:7b:b4
    01105 skipto 2000 ip from 192.168.5.144 to any MAC any 68:a8:6d:27:3f:d8
    01106 skipto 2000 ip from 192.168.5.145 to any MAC any 38:0f:4a:02:db:db
    01107 skipto 2000 ip from 192.168.5.153 to any MAC any 4c:eb:42:01:1e:63
    01108 skipto 2000 ip from 192.168.5.154 to any MAC any 00:c6:10:ee:a9:ef
    01109 skipto 2000 ip from 192.168.5.160 to any MAC any 00:18:de:b4:3a:b4
    01110 skipto 2000 ip from 192.168.5.161 to any MAC any 00:25:bc:eb:d1:e9
    01111 skipto 2000 ip from 192.168.5.168 to any MAC any 00:21:5c:99:45:bf
    01112 skipto 2000 ip from 192.168.5.169 to any MAC any 00:26:08:0f:53:fd
    01113 skipto 2000 ip from 192.168.5.170 to any MAC any 14:10:9f:49:f8:66
    01114 skipto 2000 ip from 192.168.5.176 to any MAC any 30:f7:c5:a1:89:c1
    01115 skipto 2000 ip from 192.168.5.177 to any MAC any 98:fe:94:a6:32:89
    01116 skipto 2000 ip from 192.168.5.178 to any MAC any 00:25:56:b5:6b:3e
    01117 skipto 2000 ip from 192.168.5.184 to any MAC any 00:40:f4:a0:27:25
    01118 skipto 2000 ip from 192.168.5.208 to any MAC any 00:22:58:7b:85:97
    01119 skipto 2000 ip from 192.168.5.209 to any MAC any 00:1c:c0:8c:83:5f
    01120 skipto 2000 ip from 192.168.5.224 to any MAC any f8:d1:11:5a:be:5e
    01121 skipto 2000 ip from 192.168.5.225 to any MAC any 00:0d:4b:bd:d1:61
    01122 skipto 2000 ip from 192.168.5.226 to any MAC any 00:0d:4b:df:c1:3d
    01123 skipto 2000 ip from 192.168.5.227 to any MAC any cc:6d:a0:1f:a5:11
    01124 skipto 2000 ip from 192.168.5.228 to any MAC any 00:0d:4b:e8:1e:59
    01125 skipto 2000 ip from 192.168.5.229 to any MAC any ec:88:8f:dc:8f:6a
    01126 skipto 2000 ip from 192.168.5.232 to any MAC any f8:d1:11:7f:4e:4e
    01127 deny ip from any to any
    02000 allow ip from any to any
    65291 allow pfsync from any to any
    65292 allow carp from any to any
    65301 allow ip from any to any layer2 mac-type 0x0806,0x8035
    65302 allow ip from any to any layer2 mac-type 0x888e,0x88c7
    65303 allow ip from any to any layer2 mac-type 0x8863,0x8864
    65307 deny ip from any to any layer2 not mac-type 0x0800,0x86dd
    65310 allow ip from any to { 255.255.255.255 or 192.168.5.1 } in
    65311 allow ip from { 255.255.255.255 or 192.168.5.1 } to any out
    65312 allow icmp from { 255.255.255.255 or 192.168.5.1 } to any out icmptypes 0
    65313 allow icmp from any to { 255.255.255.255 or 192.168.5.1 } in icmptypes 8
    65314 pipe tablearg ip from table(3) to any in
    65315 pipe tablearg ip from any to table(4) in
    65316 pipe tablearg ip from table(3) to any out
    65317 pipe tablearg ip from any to table(4) out
    65318 pipe tablearg ip from table(1) to any in
    65319 pipe tablearg ip from any to table(2) out
    65532 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
    65533 allow tcp from any to any out
    65534 deny ip from any to any
    65535 allow ip from any to any
    
    

Log in to reply