Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 08 Jun 2012 16:30:55 -0400
From:      Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
To:        Bill Yuan <bycn82@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: how to filter network by MAC and IP at the same time
Message-ID:  <44y5nxy29s.fsf@be-well.ilk.org>
In-Reply-To: <CAC%2BJH2zw0%2BXrJG=xnnFWEh8_JkGc7YnnqFE2VAtQBS5T7RubbA@mail.gmail.com> (Bill Yuan's message of "Fri, 8 Jun 2012 07:22:34 %2B0800")
References:  <CAC%2BJH2zw0%2BXrJG=xnnFWEh8_JkGc7YnnqFE2VAtQBS5T7RubbA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Bill Yuan <bycn82@gmail.com> writes:

> i am using freebsd 9.0 as a firewall and i want to filter the traffic by
> the mac and the ip at the same time,
>
> for example, i only allow my laptop <MAC Address 1> can go throught the
> firewalll when it's using IP <IP Address 1>
>
> for how to config the firewall rules?
>
>
> I tried to configure the firewall by  the rule below , but it doesnt work
>
>  ipfw add  1 allow all from <IP Address 1> to any MAC <MAC Address 1> any
>  ipfw add  1 allow all from any to <IP Address 1>  MAC any <MAC Address 1>

Well, for one thing if I understand your intent, you have the MAC
addresses in the wrong order. Unless your firewall is acting as a
bridge, you also need to keep in mind that the MAC addresses are changed
when passing through, so those rules will only work on one side (i.e.,
you'll need "in via" type rules).

> but it doesnt work. also found the explanation on google, someone already
> asked this question before.

I don't understand. Was there a suggested approach or not?

> but I did not find the solution for this requirement.  can someone tell me
> how ? thanks in advance.

I can't guarantee this will work, and I don't have any way to test it,
but my above comments would suggest something more like:

>  ipfw add  1 allow all from <IP Address 1> to any MAC any <MAC Address in via $iif

>  ipfw add  1 allow all from any to <IP Address 1>  MAC <MAC Address 1> any out via $oif

Good luck.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44y5nxy29s.fsf>