The best of both worlds “using mac filtering in pf”

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

The best of both worlds “using mac filtering in pf”

l.m.v.breda
Hello,

I am using pfSense, build on top of pf. And of course pfSense/pf is a terrific firewall, however the world is changing in the direction of IPV6 and that leads to new issues and related new requirements.

One of the major issues is that IPV6 does not provide a stable source address you can use to filter in your firewall.

Many firewalls “out there” are *using the level-2 mac as a way around this issue*. � However ….. pfSense cannot provide that functionality, since it is built on top of …… pf.

Tja, and then there is a “striking” issue ….. suppose that pfSense would have been built on top of OpenBSD, still using pf ………. That had been possible …….

So as user I would be very pleased if there could be a joined “pf-release” having *best of both worlds* !!!!

Assume we were running OpenBSD …… things like � �

step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag <sometag>
step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy based rule)

would have been an option, …. not saying it is the best option …..  �better option would be if pf could set the tag itself

Whatever please consider adding this functionality to pf preferable on short term, since IPV6 is fast becoming very important!

Sincerely,

 �

Louis

PS … should I raise an feature request for this?

 �

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: The best of both worlds “using mac filtering in pf”

Kristof Provost
On 10 Jul 2020, at 19:57, [hidden email] wrote:

> Hello,
>
> I am using pfSense, build on top of pf. And of course pfSense/pf is a
> terrific firewall, however the world is changing in the direction of
> IPV6 and that leads to new issues and related new requirements.
>
> One of the major issues is that IPV6 does not provide a stable source
> address you can use to filter in your firewall.
>
> Many firewalls “out there” are *using the level-2 mac as a way
> around this issue*. � However ….. pfSense cannot provide that
> functionality, since it is built on top of …… pf.
>
> Tja, and then there is a “striking” issue ….. suppose that
> pfSense would have been built on top of OpenBSD, still using pf
> ………. That had been possible …….
>
> So as user I would be very pleased if there could be a joined
> “pf-release” having *best of both worlds* !!!!
>
> Assume we were running OpenBSD …… things like � �
>
> step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag
> <sometag>
> step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy
> based rule)
>
> would have been an option, …. not saying it is the best option …..
>  �better option would be if pf could set the tag itself
>
> Whatever please consider adding this functionality to pf preferable on
> short term, since IPV6 is fast becoming very important!
>
> Sincerely,
>
>  �
>
> Louis
>
> PS … should I raise an feature request for this?
>
You can, but adding L2 filtering functionality to pf isn’t even on my
long-term todo list. It is essentially out of the question that it’d
be added in the short term (or even in the next year or two, unless
someone decides it’s worth contracting me for several months to do
it).

I don’t personally see the use case for it either, but perhaps I’m
missing something. Can you explain what exactly you’d like to
accomplish with L2 filtering?

(It’s already possible to use pf on top of a bridge in
bump-in-the-wire mode. Given the gotchas in that code I **strongly**
recommend people don’t use that functionality.)

Best regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: The best of both worlds “using mac filtering in pf”

Ultima
In reply to this post by l.m.v.breda
Please go in detail about this issue on why you would need to filter layer
2.

I see very little benefit to having the ability to filter on layer 2 except
in some very special cases and IPv6 isn't one of them that I'm aware of.

Best regards,
Richard Gallamore

On Fri, Jul 10, 2020 at 10:57 AM <[hidden email]> wrote:

> Hello,
>
> I am using pfSense, build on top of pf. And of course pfSense/pf is a
> terrific firewall, however the world is changing in the direction of IPV6
> and that leads to new issues and related new requirements.
>
> One of the major issues is that IPV6 does not provide a stable source
> address you can use to filter in your firewall.
>
> Many firewalls “out there” are *using the level-2 mac as a way around this
> issue*. � However ….. pfSense cannot provide that functionality, since it
> is built on top of …… pf.
>
> Tja, and then there is a “striking” issue ….. suppose that pfSense would
> have been built on top of OpenBSD, still using pf ………. That had been
> possible …….
>
> So as user I would be very pleased if there could be a joined “pf-release”
> having *best of both worlds* !!!!
>
> Assume we were running OpenBSD …… things like � �
>
> step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag
> <sometag>
> step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy
> based rule)
>
> would have been an option, …. not saying it is the best option …..
> �better option would be if pf could set the tag itself
>
> Whatever please consider adding this functionality to pf preferable on
> short term, since IPV6 is fast becoming very important!
>
> Sincerely,
>
>  �
>
> Louis
>
> PS … should I raise an feature request for this?
>
>  �
>
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[hidden email]"
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: The best of both worlds “using mac filtering in pf”

Ultima
In reply to this post by Kristof Provost
Hey Kristof,


> (It’s already possible to use pf on top of a bridge in
> bump-in-the-wire mode. Given the gotchas in that code I **strongly**
> recommend people don’t use that functionality.)
>
>
Do you mind going into details on the gotchas or providing links?

Thanks and best regards,
Richard Gallamore
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: The best of both worlds “using mac filtering in pf”

Kristof Provost
On 10 Jul 2020, at 22:37, Ultima wrote:

> Hey Kristof,
>
>
>> (It’s already possible to use pf on top of a bridge in
>> bump-in-the-wire mode. Given the gotchas in that code I **strongly**
>> recommend people don’t use that functionality.)
>>
>>
> Do you mind going into details on the gotchas or providing links?
>
I am reluctant to, because people will delude themselves into believing
they can avoid the landmines.

The entire way this feature is implemented is wrong, and you cannot
reliably avoid the landmines. If you use it at some point you will find
yourself spread out over the landscape.

That said, very briefly, (and understand that it **will** blow up in
your face when it’s most annoying): the way this feature works is by
stripping off the ethernet header, passing the IP packet to pf, and then
re-adding the ethernet header once pf is done with it.

This explodes spectacularly if you do something that causes the packet
to not be returned by pf, such as a route-to/reply-to rule, or anytime
IPv6 fragmentation is involved.

Best regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

RE: The best of both worlds “using mac filtering in pf”

l.m.v.breda
In reply to this post by Ultima
Hello,

 �

Seeing the reactions, I think did not describe my problem good enough. So here a better problem description.

 �

 �

An IPV6-device has many IPV6 addresses. Among them temporary addresses and autogenerated addresses. This partly because of privacy concerns.

 �

So if an IPV6-device starts an connection with e.g. a temporary address the firewall does not know that address. As a consequence filtering the outgoing traffic of that specific device is not possible.

 �

So given that situation you / the firewall need something else to filter on. And the intention is to use the device mac-address for that. That is not that special. Other firewalls can do that as well (to a certain extend even the OpenBSD pf version).

 �

So the intention is not to do level-2 filtering, the intention is just to use the level-2 address as alternative for the unknown IPV6-address, for level-3 filtering.

 �

Not different from IPV4-firewall rules using an IPV4-address to block or pass incoming or outgoing traffic.

 �

Hope this clarify thinks.

 �

 �

Louis  

 �

From: Ultima <[hidden email]>
Sent: Friday, July 10, 2020 10:31 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: The best of both worlds “using mac filtering in pf”

 �

Please go in detail about this issue on why you would need to filter layer 2.

 �

I see very little benefit to having the ability to filter on layer 2 except in some very special cases and IPv6 isn't one of them that I'm aware of.

 �

Best regards,

Richard Gallamore

 �

On Fri, Jul 10, 2020 at 10:57 AM <[hidden email] <mailto:[hidden email]> > wrote:

Hello,

I am using pfSense, build on top of pf. And of course pfSense/pf is a terrific firewall, however the world is changing in the direction of IPV6 and that leads to new issues and related new requirements.

One of the major issues is that IPV6 does not provide a stable source address you can use to filter in your firewall.

Many firewalls “out there” are *using the level-2 mac as a way around this issue*. � However ….. pfSense cannot provide that functionality, since it is built on top of …… pf.

Tja, and then there is a “striking” issue ….. suppose that pfSense would have been built on top of OpenBSD, still using pf ………. That had been possible …….

So as user I would be very pleased if there could be a joined “pf-release” having *best of both worlds* !!!!

Assume we were running OpenBSD …… things like � �

step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag <sometag>
step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy based rule)

would have been an option, …. not saying it is the best option ….. � �better option would be if pf could set the tag itself

Whatever please consider adding this functionality to pf preferable on short term, since IPV6 is fast becoming very important!

Sincerely,

 ��

Louis

PS … should I raise an feature request for this?

 ��

_______________________________________________
[hidden email] <mailto:[hidden email]>  mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email] <mailto:[hidden email]> "

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"