Date: Wed, 5 Oct 2005 18:10:50 +0400 From: "Andrew P." <infofarmer@gmail.com> To: Foo Ji-Haw <jhfoo@nexlabs.com> Cc: Freebsd-questions@freebsd.org Subject: Re: ipfw: ALLOWing by mac address Message-ID: <cb5206420510050710g5524cf43k61dbf8ff70b2c239@mail.gmail.com> In-Reply-To: <01bf01c5c98b$df455ff0$c801a8c0@nexpc> References: <01bf01c5c98b$df455ff0$c801a8c0@nexpc>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/5/05, Foo Ji-Haw <jhfoo@nexlabs.com> wrote: > Hello all, > > I'd like your feedback on a problem I have with allowing access through t= he ipfw firewall via mac addresses. > > Andrew has a good point on mac address spoofing. I agree with him on the = security concern, but for the situation that I am setting up, that's ok. Bu= t I really need to open the firewall via mac address. > > Let me detail my setup: > dc0 is the interface to the Internet > vr0 is the interface to the managed network > > I tried to read up on ipfw rules on mac, and I got something like this: > allow ip from any to any MAC any 00:90:d1:00:80:00/33 > > It does not work of course, but ipfw accepted the command. Basically I ne= ed the client with the mac address to be able to go pass the firewall in to= tality. > > Can anyone enlighten me on the correct format? Thanks in advance. Thanks for the credit :-) see "man ipfw", particularly the PACKET FLOW section Try this: allow ip from any to any layer2 out MAC any 00:90:d1:00:80:00/33 allow ip from any to any layer2 in MAC 00:90:d1:00:80:00/33 any allow ip from any to any layer2 via <trusted-if> deny ip from any to any layer2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420510050710g5524cf43k61dbf8ff70b2c239>