Date: Thu, 14 May 2009 16:17:54 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Brett Glass <brett@lariat.net> Cc: net@freebsd.org Subject: Re: MAC locking and filtering in FreeBSD Message-ID: <20090514155226.Y46325@sola.nimnet.asn.au> In-Reply-To: <200905131648.KAA15455@lariat.net> References: <200905131648.KAA15455@lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 13 May 2009, Brett Glass wrote: > I need to find a way to do "MAC address locking" in FreeBSD -- that is, to > ensure that only a machine with a particular MAC address can use a particular > IP address. Unfortunately, it appears that rules in FreeBSD's IPFW are > "stuck" on one layer: rules that look at Layer 2 information in a packet > can't look at Layer 3, and vice versa. Is there a way to work around this to > do MAC address locking and/or other functions that involve looking at Layer 2 > and Layer 3 simultaneously? You can use fixed leases with MAC specified in dhcp for that, with or without specifying a range of addresses available to boxes with unknown MACs. An org I'm working for uses just that method to good effect. You can also specify a different (eg) router address for non-fixed leases, towards your 'captive portal' requirement for new boxes. Re ipfw(8), I'm not clear on what your problem is: the section PACKET FLOW shows clearly how to distinguish layer 2 from layer 3 traffic. Your 'vice versa' here isn't correct; you can select by layer 3 criteria on packets from ether_demux, though of course once (or if) they get to re-enter the firewall at layer 3 (from ip_input) you can't see/test MAC addresses anymore. 'simultaneously' isn't really the case then; clearly the layer 2 pass occurs first on input, and last on output. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090514155226.Y46325>