From owner-freebsd-questions@FreeBSD.ORG Sat Aug 21 15:27:55 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1269F16A4CE for ; Sat, 21 Aug 2004 15:27:55 +0000 (GMT) Received: from mail1.speakeasy.net (mail1.speakeasy.net [216.254.0.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE6CC43D41 for ; Sat, 21 Aug 2004 15:27:54 +0000 (GMT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 18090 invoked from network); 21 Aug 2004 15:27:54 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.no-ip.com) ([66.92.78.145]) (envelope-sender ) by mail1.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 Aug 2004 15:27:54 -0000 Received: by be-well.no-ip.com (Postfix, from userid 1147) id 277467F; Sat, 21 Aug 2004 11:27:54 -0400 (EDT) Sender: lowell@be-well.ilk.org To: Wayne M Barnes References: <20040820172222.GA65972@etaq.com> <41263C76.7070102@mac.com> <20040820224717.GA66583@etaq.com> From: Lowell Gilbert Date: 21 Aug 2004 11:27:54 -0400 In-Reply-To: <20040820224717.GA66583@etaq.com> Message-ID: <447jrsa4ud.fsf@be-well.ilk.org> Lines: 54 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@freebsd.org Subject: Re: dhcpd MAC filter X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Aug 2004 15:27:55 -0000 Don't top-post, please. [] [format re-arranged] Wayne M Barnes writes: > On Fri, Aug 20, 2004 at 02:01:26PM -0400, Chuck Swiger wrote: > > Wayne M Barnes wrote: > > > Is there a way to allow or disallow certain computers by their > > >MAC number? > > > > ipfw 2 supports firewalling by MAC address, so yes. > > > > > This ability comes with the software on my wireless access point, > > >but I prefer that my FreeBSD system hand out the IP addresses, > > >and I cannot find this MAC-filtering ability at man dhcpd. > > > > > > isc-dhcp3-server-3.0.1.r14_2 is my installed port. > > >Is there another dhpcd to try? > > > > You can specify MAC addresses in your DHCP config to reserve specific IP > > addresses for specific machines. I'm not sure whether there is a way to > > tell DHCP not to grant a lease to MAC addresses which are not found, but > > then, without using a firewall, someone could manually configure a foreign > > host to use the connection, regardless of whether they can get a DHCP lease. > > > > -- > > -Chuck > > Dear Chuck, > > Thanks for the tip about ipfw, but I can't seem to write > an acceptable line for rc.firewall, even after reading man ipfw, > which does not show a full example. > > For instance, the following confuses ipfw when I put it > into rc.firewall: > > #from man ipfw: MAC 10:20:30:40:50:60/33 any > ipfw add drop all from MAC 00:02:2d:2e:04:28 to any > > It complains that MAC is an unknown machine. > > How should I spell a firewall rule invocation that will > prevent a certain MAC serial number from getting through or to > my FreeBSD machine? > > Thank you for any further advice. Sounds like you're running the original IPFW rather than IPFW2. As Chuck Swiger indicated, you need IPFW2 for the MAC keyword. IPFW2 is standard on FreeBSD 5.x, but not earlier.