From owner-freebsd-mobile@FreeBSD.ORG  Sat May 17 05:33:37 2003
Return-Path: <owner-freebsd-mobile@FreeBSD.ORG>
Delivered-To: freebsd-mobile@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4A28C37B401
	for <freebsd-mobile@freebsd.org>;
	Sat, 17 May 2003 05:33:37 -0700 (PDT)
Received: from sec.ms.mff.cuni.cz (sec.ms.mff.cuni.cz [195.113.17.100])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 05F4443F93
	for <freebsd-mobile@freebsd.org>;
	Sat, 17 May 2003 05:33:36 -0700 (PDT)
	(envelope-from vaclav.petricek@mff.cuni.cz)
Received: from localhost (localhost [127.0.0.1])
	by sec.ms.mff.cuni.cz (8.12.8/8.12.8) with ESMTP id h4HCehLR029667
	for <freebsd-mobile@freebsd.org>;
	Sat, 17 May 2003 14:40:44 +0200 (CEST)
	(envelope-from vaclav.petricek@mff.cuni.cz)
Date: Sat, 17 May 2003 14:40:43 +0200 (CEST)
From: Vaclav Petricek <vaclav.petricek@mff.cuni.cz>
X-X-Sender: petricek@sec.ms.mff.cuni.cz
To: freebsd-mobile@freebsd.org
Message-ID: <Pine.BSF.4.50.0305171405460.29459-100000@sec.ms.mff.cuni.cz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: wi - filtering traffic between stations on the same AP
X-BeenThere: freebsd-mobile@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Mobile computing with FreeBSD <freebsd-mobile.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-mobile>,
	<mailto:freebsd-mobile-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-mobile>
List-Post: <mailto:freebsd-mobile@freebsd.org>
List-Help: <mailto:freebsd-mobile-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-mobile>,
	<mailto:freebsd-mobile-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 May 2003 12:33:37 -0000


Hello

I would like to be able to filter traffic between stations connected to
a single AP. The AP should be used just for Internet access and not for
communication between local stations.

Reason:
1. I do not want the stations to use the AP as a retranslation point where
   they do not see each other directly
2. I want to limit the traffic generated by windows broadcasts etc.

I have seen in the wi driver that when the packet is destined for an
associated station, or it is a broad/multi/cast it gets retransmitted
immediatelly.

My questions are:

1. Is there a way to force these packets to go through ipfw without
patching kernel? I have seen some sysctls that should control the ethernet
level filtering but I had no luck making it work on a single wi interface.
A pointer describing the data flow between interface kernel modules,
kernel and firewall modules would be great.
2. In case I do have to make a patch to implement this filtering, what is
the best way to encapsulate it? Some flag to ifconfig that says drop
broadcasts and do not resend packets to associated stations?

Thanks for any hints,

--

Vaclav Petricek