From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 21:46:08 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6FB216A4CE for ; Tue, 7 Sep 2004 21:46:08 +0000 (GMT) Received: from out005.verizon.net (out005pub.verizon.net [206.46.170.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CF6443D49 for ; Tue, 7 Sep 2004 21:46:08 +0000 (GMT) (envelope-from skip.ford@verizon.net) Received: from pool-70-17-33-17.pskn.east.verizon.net ([70.17.33.17]) by out005.verizon.netESMTP <20040907214607.YLLR7520.out005.verizon.net@pool-70-17-33-17.pskn.east.verizon.net> for ; Tue, 7 Sep 2004 16:46:07 -0500 Date: Tue, 7 Sep 2004 17:46:06 -0400 From: Skip Ford To: freebsd-ipfw@freebsd.org Message-ID: <20040907214606.GA2502@lucy.pool-70-17-33-17.pskn.east.verizon.net> Mail-Followup-To: freebsd-ipfw@freebsd.org References: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> <20040907210245.GA587@lucy.pool-70-17-33-17.pskn.east.verizon.net> <200409072312.46887.RoKlein@roklein.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200409072312.46887.RoKlein@roklein.de> User-Agent: Mutt/1.4.2.1i X-Authentication-Info: Submitted using SMTP AUTH at out005.verizon.net from [70.17.33.17] at Tue, 7 Sep 2004 16:46:07 -0500 Subject: Re: simple mac address filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 21:46:08 -0000 Robert Klein wrote: > On Dienstag, 7. September 2004 23:02, Skip Ford wrote: > > brisbanebsd@mac.com wrote: > > > I need to set up MAC filtering on a 5.2.1 Freebsd box. > > > > Have you enabled it by setting net.link.ether.ipfw to 1? > > > > > ipfw add allow ip from any to any mac any 00:0d:93:81:82:1e > > > > Your rule works fine here. > > > > # ipfw add 10 allow ip from any to any mac 00:50:bf:d3:5a:2f > > any 00010 allow ip from any to any MAC 00:50:bf:d3:5a:2f any # > > ipfw show 10 > > 00010 0 0 allow ip from any to any MAC > > 00:50:bf:d3:5a:2f any # sysctl net.link.ether.ipfw=1 > > net.link.ether.ipfw: 0 -> 1 > > # ipfw show 10 > > 00010 351 514213 allow ip from any to any MAC > > 00:50:bf:d3:5a:2f any > > umm... if I think this should not work.. except you have > options IPFIREWALL_DEFAULT_TO_ACCEPT > in your kernel config file. Could you please check and tell us? No, it denies but I have other layer 3 rules that allow it. It didn't occur to me the OP was trying to hit both layers with a single rule. -- Skip