On July 27, 2022 9:23:36 AM GMT+02:00, Cristian Danila <[email protected]>
wrote:
>[UPDATE]
>The only possible solution that I have found for now is that
>I have to create an vether interface, add it to the bridge and use
>the filtered vether interface as main. So I would deduce(but
>maybe I am wrong) that a single interface added to bridge
>cannot participate in this kind of filtering.
Indeed you are configuring the bridge between interfaces, not the interfaces
themselves. The bridge was not between your vic0 interface and the mac address
you're trying to block.
I was going to suggest the exact path you took, bridging a vether interface.
>I did not found some docs mentioning what is happening in a bridge
>configuration: if the filtered traffic is the one that is forwarded between
>interfaces by the bridge itself or the interface itself is doing filtering
>when it is marked as being part of a bridge.
>My concern with this new vether interface is that I am not sure
>yet how much overhead introduces in the process.
If you run some tests, do feel free to share the results.
/Alexander
>I will try to look into sourcecode maybe I will find something useful.
>
>On Tue, Jul 26, 2022, 15:10 Cristian Danila <[email protected]> wrote:
>>
>> Good day!
>> I've been having a headache for days(I still fight, no success yet)
>> in trying to find a way to block ARP for specific
>> MAC address(example 00:50:56:c0:00:08).
>> I want to see how I can achieve this on OpenBSD,
>> I would appreciate a technical answer or a hint/site/doc/book where
>> I can research more to expand my knowledge.
>> I've tried lot of combinations on config, many lookups over the
>> internet and I was not able to find an answer yet.
>>
>> This is what I've found and tried.
>>
>> OpenBSD can filter level 2 traffic only if the interface
>> is part of a BRIDGE.
>> By adding it to a bridge it put it in promiscuous mode so that it can
>> receive every packet sent on the network.
>>
>> So by having this requirement I have hostname.bridge0
>> ---------------hostname.vic0----------------
>> inet autoconf
>> up
>> ---------------hostname.bridge0----------------
>> #add my network card to bridge
>> add vic0
>> blocknonip vic0
>> rule block in on vic0
>> rule block out on vic0 src 00:50:56:c0:00:08
>> rule block out on vic0 dst 00:50:56:c0:00:08
>> up
>> -----------------------------------------------
>> now I reboot and expect to see the packets blocked for 00:50:56:c0:00:08
>> However these are not blocked and here is the log:
>>
>> 00:50:56:c0:00:08 ff:ff:ff:ff:ff:ff 0806 60: arp who-has
>> 192.168.121.131 tell 102.168.121.1
>> 00:50:56:c0:00:08 ff:ff:ff:ff:ff:ff 0806 60: arp who-has
>> 192.168.121.131 tell 102.168.121.1
>> 00:0c:29:c3:d9:a7 00:50:56:c0:00:08 0806 60: arp reply 192.168.121.131
>> is-at 00:0c:29:c4:d9:a7
>>
>> So I see a success request/response for 00:50:56:c0:00:08
>> I would appreciate any help.
>>
>> Kind Regards,
>> Claudiu
>
