From owner-freebsd-questions@FreeBSD.ORG  Wed Jun  4 08:49:30 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9501C37B401
	for <freebsd-questions@freebsd.org>;
	Wed,  4 Jun 2003 08:49:30 -0700 (PDT)
Received: from theosis.net (theosis.pas.rochester.edu [128.151.145.197])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 055AF43F85
	for <freebsd-questions@freebsd.org>;
	Wed,  4 Jun 2003 08:49:30 -0700 (PDT)	(envelope-from mls@theosis.net)
Received: by theosis.net (Postfix, from userid 1000)
	id 170AE58E6; Wed,  4 Jun 2003 11:49:29 -0400 (EDT)
Date: Wed, 4 Jun 2003 11:49:29 -0400
From: RS <mls@theosis.net>
To: freebsd-questions@freebsd.org
Message-ID: <20030604154929.GB729@theosis.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
X-Organization: Dark Matter Industries at Ghostplanet
Errors-To: postmaster@theosis.net
Subject: Question: ipfw2, MAC addresses and divert.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: mls@theosis.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2003 15:49:30 -0000

Hi,
I'm trying to write some ipfw rules to divert packets from a machine
matching a MAC address to a natd process running on a custom divert
port.

Here are the rules I tries that don't work:
ipfw add 99 divert 8669 mac any 00:E0:18:F1:57:94 via wi0
ipfw add 99 divert 8669 mac 00:E0:18:F1:57:94 any via wi0

These do not match and the packets don't get diverted.

However, something like this does work:
ipfw add 49 deny mac any 00:E0:18:F1:57:94 via wi0
ipfw add 49 deny mac 00:E0:18:F1:57:94 any via wi0

Packets are appropriately denied.

This will work, using the ipaddress of the machine instead of its MAC:
ipfw add 99 divert 8669 ip from 10.0.0.243 to any via wi0
ipfw add 99 divert 8669 ip from any to 10.0.0.243 via wi0


What changes between using "deny" versus "divert" as a rule action that
MAC addresses don't match? Any suggestions?

Thank you.

-- 
mls@theosis.net    To be sure of hitting the target, shoot first, and
                   call whatever you hit the target. -Ashleigh
                   Brilliant