Date: Tue, 21 Feb 2006 11:12:15 -0300 From: "Cesar" <listas@itm.net.br> To: <freebsd-ipfw@FreeBSD.ORG> Subject: ipfw2 with mac filtering Message-ID: <000a01c636f0$d3303280$0e4fdfc8@ironman>
next in thread | raw e-mail | index | archive | help
Hi, I wanted to finish my firewall rules doing a "deny all from any to any", but I can't do that with mac filtering at same time. Let me explain. Since I use ipfw mac filter, I have the sysctl variable "net.link.ether.ipfw: 1"; My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2. An example of my rules: 00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any 00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any 65535 0 0 allow ip from any to any This works fine, the rules 1 and 2 get some match when I do ping from Windows box to FreeBSD. After this test, I added the rule "65534 0 0 deny ip from any to any". It still works, but after some time if I have no traffic from 10.0.0.2, FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", I get : ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet] So, I can't ping my FreeBSD box anymore because it doesnt accept my arp packets. I tried to log the deny rule and I get some lines telling "Deny mac in". I tried to add another rule before the deny all "ipfw add 100 allow mac any any", but this rule become "allow ip from any to any MAC any any", so I cant end my firewall rules with a "deny all from any to any". Is this a problem? Are there any workaround for this? I didnt tried to use a fixed arp table, but I will dont do that if not necessary. Thanks Cesar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000a01c636f0$d3303280$0e4fdfc8>