Date: Mon, 14 Feb 2005 21:47:26 -0700 From: John Nielsen <lists@jnielsen.net> To: freebsd-ipfw@freebsd.org Cc: vitadiazlistas <vitadiazlistas@yahoo.com.ar> Subject: Re: To control accessos by MAC address of ethernets Message-ID: <200502142147.27072.lists@jnielsen.net> In-Reply-To: <022f01c512b3$102c45b0$0a0a1e0a@isca1> References: <022f01c512b3$102c45b0$0a0a1e0a@isca1>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 14 February 2005 09:34 am, vitadiazlistas wrote: > Somebody can show to me like is that ipfw2 with the subject of the MAC > works Thanks If you have net.link.ether.ipfw enabled, routed/natted packets can potentially hit the firewall up to four times, and each case ought to be considered (see the PACKET FLOW section of the ipfw manpage). You want a pair of "layer2" rules (which may or may not include any IP addresses) and a pair of "not layer2" rules (which will include IP but not MAC addresses). I have a working setup that only allows traffic through from assigned MAC/IP pairs on the network. Here are the basics: Add to /etc/sysctl.conf: net.link.ether.ipfw=1 net.inet.ip.fw.one_pass=0 # (note that I don't remember exactly why this # was necessary for my setup, but it might be relevant) Firewall rules: [flush, pipe flush, etc] add allow layer2 not mac-type ip # You need this or you will break ARP, # among other things [pipe / queue definitions if using dummynet] [natd, localhost, etc] # user list: add allow layer2 src-ip 10.0.0.5 mac any 00:11:22:33:44:55 add allow layer2 dst-ip 10.0.0.5 mac 00:11:22:33:44:55 any add allow all from 10.0.0.5 to any not layer2 add allow all from any to 10.0.0.5 not layer2 # ... repeat the above four rules for each MAC/IP pair Note that if you are using dummynet for IP traffic shaping then you probably want to specify "not layer2" on any rule that adds packets to a pipe or queue, or else packets might be inserted twice. JN
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502142147.27072.lists>