Comments for Gleb Kurtsou http://blogs.freebsdish.org/gleb Just another FreeBSD Committers Blogs weblog Fri, 21 Nov 2008 10:55:14 +0000 http://wordpress.org/?v=2.6 Comment on Layer2 filtering in pf by gleb http://blogs.freebsdish.org/gleb/2008/07/30/layer2-filtering-in-pf/#comment-69 gleb Sun, 26 Oct 2008 13:54:39 +0000 http://blogs.freebsdish.org/gleb/2008/07/30/layer2-filtering-in-pf/#comment-69 multicast address is supported. I didn't add masks for ethernet addresses intentionally mainly because there is no real use of it and no other os supports it. Once again you can specify 'mulicast' ethernet address which is equivalent to 01:00:00:00:00:00/FF:FF:FF:FF:FF:FF ARP filtering is supported by ipfw. I've added this feature just before Summer of Code deadline, and didn't blog about it. It's not supported by pf because pf can't perform layer2 filtering. Filtering ARP at layer3 is possible but not so trivial. I can work on addaing ARP filtering to pf after code will be commited into the tree. multicast address is supported. I didn’t add masks for ethernet addresses intentionally mainly because there is no real use of it and no other os supports it. Once again you can specify ‘mulicast’ ethernet address which is equivalent to 01:00:00:00:00:00/FF:FF:FF:FF:FF:FF

ARP filtering is supported by ipfw. I’ve added this feature just before Summer of Code deadline, and didn’t blog about it. It’s not supported by pf because pf can’t perform layer2 filtering. Filtering ARP at layer3 is possible but not so trivial.

I can work on addaing ARP filtering to pf after code will be commited into the tree.

]]> Comment on Layer2 filtering in pf by nets http://blogs.freebsdish.org/gleb/2008/07/30/layer2-filtering-in-pf/#comment-68 nets Sun, 26 Oct 2008 04:50:09 +0000 http://blogs.freebsdish.org/gleb/2008/07/30/layer2-filtering-in-pf/#comment-68 Suggestions: Why not add a bit mask to ethernet addresses so that one may match, say, multicast addresses. Example: pass in on bridge0 from 10.0.0.1 ether 00:11:11:11:11:11/FF:FF:FF:FF:FF:FF or pass in on bridge0 from 10.0.0.1 ether 01:00:00:00:00:00/FF:FF:FF:FF:FF:FF (to any multicast address and broadcast too!) How about adding ability to match ARP query/respons fields too? It would be neat to be able to filter out any ARP requests/responses for invalid/wrongly configured networks like. pass in on bridge0 proto arp arp-opcode 0x0001 arp-src-ip 10.0.0.0/8 arp-dst-ip 10.0.0.0/8 drop proto arp Otherwise, cool stuff! Suggestions:

Why not add a bit mask to ethernet addresses so that one may match, say, multicast addresses. Example:
pass in on bridge0 from 10.0.0.1 ether 00:11:11:11:11:11/FF:FF:FF:FF:FF:FF
or
pass in on bridge0 from 10.0.0.1 ether 01:00:00:00:00:00/FF:FF:FF:FF:FF:FF
(to any multicast address and broadcast too!)

How about adding ability to match ARP query/respons fields too?
It would be neat to be able to filter out any ARP requests/responses for invalid/wrongly configured networks like.
pass in on bridge0 proto arp arp-opcode 0×0001 arp-src-ip 10.0.0.0/8 arp-dst-ip 10.0.0.0/8
drop proto arp

Otherwise, cool stuff!

]]> Comment on post #1 (just a test) by kahanaja http://blogs.freebsdish.org/gleb/2008/06/22/post-1-just-a-test/#comment-3 kahanaja Wed, 02 Jul 2008 21:26:08 +0000 http://blogs.freebsdish.org/gleb/2008/06/22/post-1-just-a-test/#comment-3 Hi ;) Hi ;)

]]>