From owner-freebsd-newbies@FreeBSD.ORG Tue Sep 7 16:40:22 2004 Return-Path: Delivered-To: freebsd-newbies@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D71C16A4CE for ; Tue, 7 Sep 2004 16:40:22 +0000 (GMT) Received: from mail.iinet.net.au (mail-03.iinet.net.au [203.59.3.35]) by mx1.FreeBSD.org (Postfix) with SMTP id F1B4A43D49 for ; Tue, 7 Sep 2004 16:40:18 +0000 (GMT) (envelope-from outsidefactor@iinet.net.au) Received: (qmail 29288 invoked from network); 7 Sep 2004 16:40:17 -0000 Received: from unknown (HELO tyr) (203.173.32.104) by mail.iinet.net.au with SMTP; 7 Sep 2004 16:40:16 -0000 From: "Chris Martin" To: Date: Wed, 8 Sep 2004 02:39:08 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <4409622.1094554185019.JavaMail.brisbanebsd@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcSUyG3QClaoWtNEQvmeItuWzXdDGgAL4P/Q Message-Id: <20040907164018.F1B4A43D49@mx1.FreeBSD.org> Subject: RE: ipfw2 in 5.2.1 X-BeenThere: freebsd-newbies@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Gathering place for new users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 16:40:22 -0000 G'day. > > hi - this is my first post to this list so go easy on me ! Welcome. > I am trying to > find info on using ipfw2 with freebsd 5.2.1 as I have read that it > supports MAC address based firewalling. The ipfw manpage has this to say: { MAC | mac } dst-mac src-mac Match packets with a given dst-mac and src-mac addresses, speci- fied as the any keyword (matching any MAC address), or six groups of hex digits separated by colons, and optionally followed by a mask indicating the significant bits. The mask may be specified using either of the following methods: 1. A slash (/) followed by the number of significant bits. For example, an address with 33 significant bits could be specified as: MAC 10:20:30:40:50:60/33 any 2. An ampersand (&) followed by a bitmask specified as six groups of hex digits separated by colons. For example, an address in which the last 16 bits are significant could be specified as: MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any Note that the ampersand character has a special meaning in many shells and should generally be escaped. Note that the order of MAC addresses (destination first, source second) is the same as on the wire, but the opposite of the one used for IP addresses. e.g.: 00500 0 0 allow ip from any to any MAC 00:30:4f:27:0e:1a any via ath1 00501 0 0 allow ip from any to any MAC any 00:30:4f:27:0e:1a via ath1 > I cannot find a lot of info on google on compiling the kernal for ipfw2, > and their is no man page for ipfw2 only ipfw. If you compile ipfw on 5.x it is ipfw2. In the ipfw manpage: NOTE: this manual page documents the newer version of ipfw introduced in FreeBSD CURRENT in July 2002, also known as ipfw2. ipfw2 is a superset of the old firewall, ipfw1. The differences between the two are listed in Section IPFW2 ENHANCEMENTS, which you are encouraged to read to revise older rulesets and possibly write them more effi- ciently. See Section USING IPFW2 IN FreeBSD-STABLE for instructions on how to run ipfw2 on FreeBSD STABLE. This is a good start: http://www.au.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html This is an OK set of more advanced rules (though they assume you have static addresses): http://www.acme.com/firewall.html Hope that helps!