From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 26 19:42:59 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9223316A400 for ; Thu, 26 Apr 2007 19:42:59 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 5133613C4BA for ; Thu, 26 Apr 2007 19:42:59 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so375117ana for ; Thu, 26 Apr 2007 12:42:58 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=Vsrldz3F0rx2ggqCKBDTVH5XgreqTK3+tL2WfeOEVj8FSJ+5Rl9zOiW6NEADxYUh/uMUTjdbsoq6DAjRBGAdCiUoeVDtRibPqSFQCXVDUXlBz8kRzElRhr8wCnyHBeV6obg7uqPuO2U3RJXCf0VL1K6qEhkpgV0w1GuxI9cetnA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ID8jmSAzXe85E5Thm0bPQd/PdoSMKOU/mK1B92x/IhVqU+eW9ECj2ZMXvvuB+56O5cEWBCvTZZH0VQ37vr4kkXvpASBQxb9rJDOh7JzVYMBsKQNDK+rlSwsC+RFvUVmSiKlRmgRSpk46CHmHvXdgpiAYW3gIbrHBfX968IptPmU= Received: by 10.100.133.9 with SMTP id g9mr1423267and.1177616577960; Thu, 26 Apr 2007 12:42:57 -0700 (PDT) Received: by 10.100.137.17 with HTTP; Thu, 26 Apr 2007 12:42:57 -0700 (PDT) Message-ID: <937e203f0704261242x8c13b9bw3f2bcc56bbe20729@mail.gmail.com> Date: Thu, 26 Apr 2007 22:42:57 +0300 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw with nat - allowing by MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 19:42:59 -0000 So I guess shit never stops... As I said I'm currently trying to use the deny rule which you initially supplied to drop the packets which don't get skipped. Here's my current ruleset - 00100 173035 29328940 allow ip from any to any via xl0 00300 292524 50232419 skipto 1200 ip from any to any { MAC 00:19:d2:36:b8:48 any or MAC any 00:19:d2:36:b8:48 } layer2 00800 0 0 deny log logamount 100 ip from any to any MAC any any layer2 via xl0 01203 3802723 1050820011 divert 8668 ip from 192.168.1.0/24 to any out via fxp0 01205 2218931 1145072418 divert 8668 ip from any to me in via fxp0 01250 81843 84998617 queue 1 ip from any to any src-port 80 not layer2 via fxp0 01251 64777 18975661 queue 1 ip from any to any dst-port 80 not layer2 via fxp0 01300 4279821 1513380511 queue 2 ip from any to any not src-port 80 not layer2 via fxp0 01500 6137984 2192285003 allow ip from any to any 65535 5 416 deny ip from any to any And the result is the same - everyone on the 192.168.1.0/24 segment gets diverted. And as you can see no traffic hits rule 800. So what's the deal? Any ideas? -- mEsS wItH tHe bEsT dIE liKe tHe rESt