From owner-freebsd-questions@FreeBSD.ORG Wed Oct 5 08:58:22 2005 Return-Path: X-Original-To: Freebsd-questions@freebsd.org Delivered-To: Freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74C6816A41F for ; Wed, 5 Oct 2005 08:58:22 +0000 (GMT) (envelope-from jhfoo@nexlabs.com) Received: from tin.colossus.net (tin.colossus.net [216.121.224.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32E2D43D46 for ; Wed, 5 Oct 2005 08:58:22 +0000 (GMT) (envelope-from jhfoo@nexlabs.com) Received: from nexpc (243.210-193-15.adsl.qala.com.sg [210.193.15.243]) by tin.colossus.net (8.9.3p2/8.9.3) with SMTP id AAA11334 for ; Wed, 5 Oct 2005 00:59:24 -0700 Message-ID: <01bf01c5c98b$df455ff0$c801a8c0@nexpc> From: "Foo Ji-Haw" To: Date: Wed, 5 Oct 2005 17:05:01 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: ipfw: ALLOWing by mac address X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 08:58:22 -0000 Hello all, I'd like your feedback on a problem I have with allowing access through = the ipfw firewall via mac addresses. Andrew has a good point on mac address spoofing. I agree with him on the = security concern, but for the situation that I am setting up, that's ok. = But I really need to open the firewall via mac address. Let me detail my setup: dc0 is the interface to the Internet vr0 is the interface to the managed network I tried to read up on ipfw rules on mac, and I got something like this: allow ip from any to any MAC any 00:90:d1:00:80:00/33 It does not work of course, but ipfw accepted the command. Basically I = need the client with the mac address to be able to go pass the firewall = in totality. Can anyone enlighten me on the correct format? Thanks in advance.