From owner-freebsd-questions@FreeBSD.ORG  Sun Aug  1 05:57:57 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6D679106568C
	for <freebsd-questions@freebsd.org>;
	Sun,  1 Aug 2010 05:57:57 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
	by mx1.freebsd.org (Postfix) with ESMTP id ACFE48FC14
	for <freebsd-questions@freebsd.org>;
	Sun,  1 Aug 2010 05:57:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o715vsUg049003;
	Sun, 1 Aug 2010 15:57:55 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Sun, 1 Aug 2010 15:57:54 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Carmel <carmel_ny@hotmail.com>
In-Reply-To: <20100730120026.D6D62106572B@hub.freebsd.org>
Message-ID: <20100801152841.L34284@sola.nimnet.asn.au>
References: <20100730120026.D6D62106572B@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-questions@freebsd.org
Subject: Re: IPFW with MAC address configuration
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2010 05:57:57 -0000

In freebsd-questions Digest, Vol 321, Issue 12, Message: 31
On Fri, 30 Jul 2010 07:18:40 -0400 Carmel <carmel_ny@hotmail.com> wrote:

 > I am trying to set up a rule using IPFW that utilizes a MAC address
 > rather than an IP one.
 > 
 > ipfw -q allow log tcp from MAC 00-14-A4-43-8E-BA to me 137 in via nfe0 setup keep-state
 > 
 > Would that work, assuming the machine I want to allow access has that
 > MAC address?

It's not quite that simple.  If you need to examine MAC addresses or 
anything else at layer 2 you first have to set net.link.ether.ipfw=1 
"Controls whether layer-2 packets are passed to ipfw.  Default is no."

Then you'll see all packets from ether_demux and ether_output_frame as 
well as the usual layer 3 packets (ie after layer2 headers are removed) 
from ip_input and ip_output.  Read the PACKET FLOW section in ipfw(8) 
for what you need to do to first separate layer2 and layer3 packets, as 
testing for layer2 options like MAC obviously fails on layer3 packets.

Even after separating out the layer2 flows I'm not sure whether you can 
use keep-state with such rules.  And anyway, port 137 (netbios-ns) is a 
UDP service, not TCP.  Is this to do with Samba, or what?

Please cc me on any reply; I'm subscribed to questions as a -digest 
which can take half a day, and the threading gets mangled.

cheers, Ian