From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 26 22:54:19 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C7B4D16A400 for ; Thu, 26 Apr 2007 22:54:19 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 8796C13C46A for ; Thu, 26 Apr 2007 22:54:19 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so430095ana for ; Thu, 26 Apr 2007 15:54:19 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=NVl1b7v2dgNmeoPawrwuHn4VrOEFIzdsFwqIesETQ2EjYYL+Q5w0Pa2exbJWBszYq5pCnicZOmzMRi/yLWFKWbL1fdvnAFbQwpPvR3LR3zEfIxaapmQgbYSMaNSAl/MV+OSr4sXgYN90L6EEEjILpRcu8Il0UYwsu/u2LMTVhWs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=bdO1VREjwRej5DCTqAOTwa5YaJG/Esk4vNg81ZxhTQEPkibgOHt/syvLcnVzEovzD4pXKXJbtVs9s7Z8bZRWkRNJ6St3zKHFn6hAFQ+tCERUzrqON/leDpE5F+vU/xuqS9GvZGJDSdrffJEsuH6dxZtL0mWk/dg8w3eubKqUHj8= Received: by 10.100.13.12 with SMTP id 12mr1379618anm.1177628058861; Thu, 26 Apr 2007 15:54:18 -0700 (PDT) Received: by 10.100.137.17 with HTTP; Thu, 26 Apr 2007 15:54:18 -0700 (PDT) Message-ID: <937e203f0704261554i701849d4j6ecf265490d8252b@mail.gmail.com> Date: Fri, 27 Apr 2007 01:54:18 +0300 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw with nat - allowing by MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 22:54:19 -0000 Yeah! People, we can congratulate ourselves! We've done it! With a few modifications I've finally found the smallest working MAC filtered NAT system. So here's what I ended up with - I'm including the queues just for the entirety of the ruleset, they have nothing to do with the filtering. 00100 allow ip from any to me not dst-port 8668 via xl0 00101 allow ip from me not 8668 to any via xl0 00300 allow ip from any to any { MAC 00:19:d2:36:b8:48 any or MAC any 00:19:d2:36:b8:48 } layer2 00800 deny log logamount 200 ip from any to any MAC any any layer2 via xl0 01203 divert 8668 ip from 192.168.1.0/24 to any out via fxp0 01205 divert 8668 ip from any to me in via fxp0 01250 queue 1 ip from any to any src-port 80 not layer2 via fxp0 01251 queue 1 ip from any to any dst-port 80 not layer2 via fxp0 01300 queue 2 ip from any to any not src-port 80 not layer2 via fxp0 01500 allow ip from any to any 65535 deny ip from any to any Just one note - when I first reached this conclusion I had two very strange *blackouts*. As if the 100 and the 101 rule just suddenly stop working and I'm left out of the box e.g. I can't ssh in although the diverting still works - I can ping hosts on the Internet. It seems to be fine now and once I gain some knowledge I'm probably going to expand this ruleset, but for now I've accomplished my goal! I have all of you to thank for that! Even though it wasn't easy /mostly because of my ignorance I'm sure/ you pulled me through. Respect. One last request - if someone happens to have some free time and wishes to donate it to me I'd really like to better understand the whole *layer* thing. I have searched the Internet for answers on this as well as read the ipfw man page, but I can't really understand it. \/ Peace. -- mEsS wItH tHe bEsT dIE liKe tHe rESt