From owner-freebsd-ipfw@FreeBSD.ORG Tue May 1 07:01:23 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B9D516A406 for ; Tue, 1 May 2007 07:01:23 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from thunder.lsstelecom.ro (thunder.lsstelecom.ro [194.117.236.32]) by mx1.freebsd.org (Postfix) with ESMTP id 8662413C484 for ; Tue, 1 May 2007 07:01:21 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: (qmail 20670 invoked by uid 1007); 1 May 2007 07:57:20 +0300 Received: from 6.112.158.88.radiocom.ro (HELO localhost) (vladone@spaingsm.com@88.158.112.6) by mail.lsstelecom.ro with SMTP; 1 May 2007 07:57:20 +0300 Date: Tue, 1 May 2007 10:02:04 +0300 From: Fratiman Vladut X-Mailer: The Bat! (v3.80.03) Professional Organization: home X-Priority: 3 (Normal) Message-ID: <341379168.20070501100204@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <200704262206.44161.asstec@matik.com.br> References: <937e203f0704261554i701849d4j6ecf265490d8252b@mail.gmail.com> <200704262206.44161.asstec@matik.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re[2]: ipfw with nat - allowing by MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Fratiman Vladut List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 May 2007 07:01:23 -0000 Test this: ipfw add 190 allow ip from any to any layer2 mac-type arp $cmd add 192 skipto 201 MAC any xx:xx:xx:xx:xx:xx in via $pif layer2 ......................................................................................................................................... $cmd add 200 deny MAC any any in recv $pif layer2 This is part from a sh script where $pif is an variable that represent your private interface (ex. pif="fxp0"), and cmd="/sbin/ipfw -q" Rule 190 allow arp broadcast traffic. Without this rule traffic will be blocked after few minutes. Rules from 192 to 199 (obviously u can put any number) contain mac's that u want to allow. Rules 200 block all rest of traffic with wrong mac. Be careful if u want to make traffic shaping, because with layer 2 activated, packets are filtered twice, at ip level and mac level. My sincerely recommendation is to use pppoe. Is easy to implement with mpd4 and is secure.