# IPFW + Mac Address



## jabj (Jun 23, 2013)

Hello.

I have installed FreeBSD 9.1 for my company, and it is running smoothly.  Implemented DHCP and Squid control for MAC. I want to continue using ipfw with IP and would like to add to it access control via MAC address. In my searches on the internet I came across this forum. In this case please help me.

I want to release a certain MAC address for navigation from anywhere to anywhere including port 443. I do not want to have to change my rules for IP which are functioning perfectly.

How could I do this? I have to enable or FreeBSD compile something in addition to the rules? What would be the syntax of the rule?

I'm sorry for my English, it is that I am Brazilian and I do not know English well.

Thank you.


----------



## Anonymous (Jun 23, 2013)

Please try:

`# sysctl net.link.ether.ipfw=1`
`# ipfw add <rule_number> allow tcp from any to any 443 MAC any xx:xx:xx:xx:xx:xx`

You have to replace <rule_number> by an exact number which is below the rule number of any rule which would implicitly deny the same traffic.


----------



## jabj (Jun 24, 2013)

Hello,

Thanks for the feedback. I had already done this and still not sure this thing. Below is my ipfw.rules. The titles will be in Portuguese. My firewall is type 'deny all'. The sysctl.conf has this 
	
	



```
net.link.ether.ipfw = 1
```
 What am I still doing wrong? If you find errors in ipfw.rules, please could you suggest corrections regarding this issue? Thank you.


```
# Limpa regras
/sbin/ipfw -f flush
/sbin/ipfw -f flush pipe
/sbin/ipfw -f flush queue

# Desativando passagem unica
/sbin/ipfw disable one_pass

####### TESTE POR MAC
sbin/ipfw add allow ip from any to any layer2 mac-type arp
sbin/ipfw add allow ip from any to any 443 mac any 00:50:56:8a:bd:2d in via em0

# Alias
rede_interna="192.168.20.0/24"

# NAT
/sbin/ipfw add divert natd all from any to any via em1

# Nao faz proxy transparente para a Caixa Economica Federal
/sbin/ipfw add allow tcp from ${rede_interna} to 200.201.174.0/24,200.251.164.0/24 80

# Nao faz proxy transparente para Nota Fiscal Eletronica (NFe)
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 201.16.234.0/24,200.166.92.0/24,186.209.98.0/73 80 keep-state

# Nao faz proxy transparente para Sicoob
/sbin/ipfw add allow tcp from ${rede_interna} to 189.75.117.230,186.215.92.131,186.215.92.145 keep-state

# Nao faz proxy transparente para BeloDente e Viacard
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 189.26.236.5,200.149.156.146 8080 keep-state

# Liberar DNS externo
/sbin/ipfw add allow udp from me 1024-65535 to any 53
/sbin/ipfw add allow tcp from me 1024-65535 to any 53
/sbin/ipfw add allow udp from any 53 to me 1024-65535
/sbin/ipfw add allow tcp from any 53 to me 1024-65535

# Firewall basico
/sbin/ipfw add deny tcp from any to any tcpflags syn,fin,psh in
/sbin/ipfw add deny tcp from any to any tcpflags fin,urg,psh in
/sbin/ipfw add deny tcp from any to any tcpflags !fin,!syn,!ack,!urg,!psh,!rst in
/sbin/ipfw add deny tcp from any to any tcpflags syn,fin,rst,ack in
/sbin/ipfw add deny tcp from any to any tcpflags fin,!syn,!rst,!ack in
/sbin/ipfw add deny tcp from any to any tcpflags syn,fin,!rst,!ack in
/sbin/ipfw add deny tcp from any to any tcpflags urg,!syn,!fin,!rst,!ack in

# Liberar NTP
/sbin/ipfw add allow tcp from me 123 to any 123
/sbin/ipfw add allow udp from me 123 to any 123
/sbin/ipfw add allow tcp from any 123 to me 123
/sbin/ipfw add allow udp from any 123 to me 123

# Liberar DNS Interno
/sbin/ipfw add allow udp from ${rede_interna} 1024-65535 to any 53
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to any 53
/sbin/ipfw add allow udp from any 53 to ${rede_interna} 1024-65535
/sbin/ipfw add allow tcp from any 53 to ${rede_interna} 1024-65535

# Liberar WWW Firewall
/sbin/ipfw add allow tcp from me to any keep-state

# Proxy transparente
/sbin/ipfw add fwd 192.168.20.254,3128 tcp from ${rede_interna} to any 80

# Libera
/sbin/ipfw add allow tcp from me 1024-65535 to any 80
/sbin/ipfw add allow tcp from any 80 to me 1024-65535
/sbin/ipfw add allow tcp from any 80 to ${rede_interna} 1024-65535
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to any 80

# Libera FTP
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to any 20,21
/sbin/ipfw add allow tcp from any 20,21 to ${rede_interna} 1024-65535
/sbin/ipfw add allow tcp from any 20,21 to 200.251.77.19
/sbin/ipfw add allow tcp from 200.251.77.19 to any 20,21

# Libera FTP Viaceu
/sbin/ipfw add allow tcp from 186.209.34.21,187.0.180.5,187.0.180.2 20,21,1024-65535 to ${rede_interna} 1024-65535
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 186.209.34.21,187.0.180.5,187.0.180.2 20,21,1024-65535
/sbin/ipfw add allow tcp from me 1024-65535 to 186.209.34.21,187.0.180.5,187.0.180.2 20,21,1024-65535
/sbin/ipfw add allow tcp from 186.209.34.21,187.0.180.5,187.0.180.2 20,21,1024-65535 to me 1024-65535

# Liberar FTP Cera Ingleza
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 200.251.77.0/26  1024-65535
/sbin/ipfw add allow tcp from 200.251.77.0/26 1024-65535 to ${rede_interna} 1024-65535

# Liberar FTP Serigy
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 189.52.81.15  1024-65535
/sbin/ipfw add allow tcp from 189.52.81.15 1024-65535 to ${rede_interna} 1024-65535

# Liberar FTP 4shared
/sbin/ipfw add allow tcp from ${rede_interna} 1024-65535 to 199.101.132.0/22 1024-65535
/sbin/ipfw add allow tcp from 199.101.132.0/22 1024-65535 to ${rede_interna} 1024-65535

# Libererar PING na rede
/sbin/ipfw add allow icmp from any to any

# Libera EMAIL TASK Por IP
/sbin/ipfw add allow tcp from ${rede_interna} to 67.228.2.0/24 110,25,587,143
/sbin/ipfw add allow tcp from ${rede_interna} to 75.126.195.0/24 110,25,587,143
/sbin/ipfw add allow tcp from 67.228.2.0/24 110,25,587,143 to ${rede_interna}
/sbin/ipfw add allow tcp from 75.126.195.0/24 110,25,587,143 to ${rede_interna}

# Libera EMAIL TASK Por DNS
/sbin/ipfw add allow tcp from ${rede_interna} to pop3.task.com.br,pop3.etiam.com.br,pop3.brfilms.com.br,pop3.amaralincorp.com.br 110,25,587,143
/sbin/ipfw add allow tcp from ${rede_interna} to smtp.task.com.br,smtp.etiam.com.br,smtp.brfilms.com.br,smtp.amaralincorp.com.br 110,25,587,143
/sbin/ipfw add allow tcp from pop3.task.com.br,pop3.etiam.com.br,pop3.brfilms.com.br,pop3.amaralincorp.com.br 110,25,587,143 to ${rede_interna}
/sbin/ipfw add allow tcp from pop3.task.com.br,pop3.etiam.com.br,pop3.brfilms.com.br,pop3.amaralincorp.com.br 110,25,587,143 to ${rede_interna}

# Deny ALL e gera LOG
sbin/ipfw add 65533 deny log logamount 10000 all from any to any
```


----------

