Date: Tue, 15 Feb 2005 14:22:26 +0200 From: Yury Tarasievich <grog@grsu.by> To: freebsd-ipfw@freebsd.org Subject: Re: To control accessos by MAC address of ethernets [freebsd-ipfw Digest, Vol 99, Issue 2] Message-ID: <4211E982.1040102@grsu.by> In-Reply-To: <20050215120057.C947716A4D7@hub.freebsd.org> References: <20050215120057.C947716A4D7@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
freebsd-ipfw-request@freebsd.org wrote: > I have ipfw2 very well walking but I need to validate the accesses of the LAN by interval of the MAC of ethernets and I have not been able to make walk this. > > Somebody can show to me like is that ipfw2 with the subject of the MAC works Thanks <...> > My firewall > ## rl0 NAT (LAN 1) > ## ep1 conecction internet > > ipfw -f flush > > ipfw add divert natd all from any to any via ep1 > > ipfw add allow all from any to 192.168.1.56 MAC any 00:0d:88:ba:b9:40 via rl0 > (no add paketes) > > ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/16 to not 192.168.0.0/16 80 > > ipfw add pipe 78 tcp from any 80 to 192.168.0.0/16 > > ipfw pipe 78 config mask src-ip 0x000000ff bw 80Kbit/s Like it was already advised to you (but better structured, I hope :) a) do ``sysctl net.link.ether.ipfw=1'' this enables ipfw to see layer2 packets at all b) you may or may not want to do ``ipfw disable one_pass'' if done, this enables packet to travel through several "accepting" rules like "pipe" or "queue" etc. After going to pipe packet gets reinjected. c) explicitly qualify everything using ``MAC'' argument with ``layer2'' argument d) allow passing of the ARP broadcasts, selecting them either with advised directive or with ``dst-addr 0xffffffff'' I understand you aren't using bridging. Then this should suffice. --regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4211E982.1040102>