From owner-freebsd-questions@FreeBSD.ORG Fri Aug 20 22:47:22 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AD9216A4F2 for ; Fri, 20 Aug 2004 22:47:18 +0000 (GMT) Received: from etaq.com (mail.etaq.com [66.80.150.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72A5143D5E for ; Fri, 20 Aug 2004 22:47:18 +0000 (GMT) (envelope-from wayne@etaq.com) Received: by etaq.com (Postfix, from userid 1002) id 9C6EF5C6D; Fri, 20 Aug 2004 17:47:17 -0500 (CDT) Date: Fri, 20 Aug 2004 17:47:17 -0500 From: Wayne M Barnes To: Chuck Swiger Message-ID: <20040820224717.GA66583@etaq.com> References: <20040820172222.GA65972@etaq.com> <41263C76.7070102@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41263C76.7070102@mac.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-questions@freebsd.org Subject: Re: dhcpd MAC filter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Aug 2004 22:47:23 -0000 Dear Chuck, Thanks for the tip about ipfw, but I can't seem to write an acceptable line for rc.firewall, even after reading man ipfw, which does not show a full example. For instance, the following confuses ipfw when I put it into rc.firewall: #from man ipfw: MAC 10:20:30:40:50:60/33 any ipfw add drop all from MAC 00:02:2d:2e:04:28 to any It complains that MAC is an unknown machine. How should I spell a firewall rule invocation that will prevent a certain MAC serial number from getting through or to my FreeBSD machine? Thank you for any further advice. -- Wayne On Fri, Aug 20, 2004 at 02:01:26PM -0400, Chuck Swiger wrote: > Wayne M Barnes wrote: > > Is there a way to allow or disallow certain computers by their > >MAC number? > > ipfw 2 supports firewalling by MAC address, so yes. > > > This ability comes with the software on my wireless access point, > >but I prefer that my FreeBSD system hand out the IP addresses, > >and I cannot find this MAC-filtering ability at man dhcpd. > > > > isc-dhcp3-server-3.0.1.r14_2 is my installed port. > >Is there another dhpcd to try? > > You can specify MAC addresses in your DHCP config to reserve specific IP > addresses for specific machines. I'm not sure whether there is a way to > tell DHCP not to grant a lease to MAC addresses which are not found, but > then, without using a firewall, someone could manually configure a foreign > host to use the connection, regardless of whether they can get a DHCP lease. > > -- > -Chuck -- Wayne M Barnes wayne@etaq.com fax: (314) 754-9556