From owner-freebsd-net@FreeBSD.ORG  Wed May 13 17:18:15 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 41D981065770
	for <net@freebsd.org>; Wed, 13 May 2009 17:18:15 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from lariat.net (lariat.net [66.119.58.2])
	by mx1.freebsd.org (Postfix) with ESMTP id AE3AD8FC19
	for <net@freebsd.org>; Wed, 13 May 2009 17:18:14 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from anne-o1dpaayth1.lariat.net (IDENT:ppp1000.lariat.net@lariat.net
	[66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id KAA15455
	for <net@freebsd.org>; Wed, 13 May 2009 10:48:13 -0600 (MDT)
Message-Id: <200905131648.KAA15455@lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 13 May 2009 10:48:02 -0600
To: net@freebsd.org
From: Brett Glass <brett@lariat.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: 
Subject: MAC locking and filtering in FreeBSD
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2009 17:18:15 -0000

I need to find a way to do "MAC address locking" in FreeBSD -- that 
is, to ensure that only a machine with a particular MAC address can 
use a particular IP address. Unfortunately, it appears that rules 
in FreeBSD's IPFW are "stuck" on one layer: rules that look at 
Layer 2 information in a packet can't look at Layer 3, and vice 
versa. Is there a way to work around this to do MAC address locking 
and/or other functions that involve looking at Layer 2 and Layer 3 
simultaneously?

--Brett Glass