From owner-freebsd-stable@FreeBSD.ORG  Tue Feb 15 21:12:32 2005
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C2E0916A4CE
	for <freebsd-stable@freebsd.org>;
	Tue, 15 Feb 2005 21:12:32 +0000 (GMT)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 67DD343D48
	for <freebsd-stable@freebsd.org>;
	Tue, 15 Feb 2005 21:12:32 +0000 (GMT)
	(envelope-from swhetzel@gmail.com)
Received: by wproxy.gmail.com with SMTP id 58so2085636wri
	for <freebsd-stable@freebsd.org>;
	Tue, 15 Feb 2005 13:12:31 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
	b=mkHE6uoY4UurJfsw9a51hZqo0nVfiEyET4gBtYvZrGVTiMTlghyahAxWmB7LaFRV6VcypaHvpFzmqWphStFfVI5QiYxpXloSY4gIGAXcrzCVp9U3mSFN5oHgeJS878/X03Vfas9My2kTrgwmpGK1LeImJnhyi41fcPlMgpCEvos=
Received: by 10.54.56.31 with SMTP id e31mr201640wra;
        Tue, 15 Feb 2005 13:12:31 -0800 (PST)
Received: by 10.54.29.8 with HTTP; Tue, 15 Feb 2005 13:12:31 -0800 (PST)
Message-ID: <790a9fff05021513124e6a016b@mail.gmail.com>
Date: Tue, 15 Feb 2005 15:12:31 -0600
From: Scot Hetzel <swhetzel@gmail.com>
To: Artem Kuchin <matrix@itlegion.ru>
In-Reply-To: <022401c512d7$e0779890$0c00a8c0@artem>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <200502142022.j1EKMl5R092740@lurza.secnetix.de>
	 <022401c512d7$e0779890$0c00a8c0@artem>
cc: freebsd-stable@freebsd.org
Subject: Re: How to make ipfw consider MAC-IP match?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Scot Hetzel <swhetzel@gmail.com>
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2005 21:12:32 -0000

On Mon, 14 Feb 2005 23:58:03 +0300, Artem Kuchin <matrix@itlegion.ru> wrote:
> Hi!
> 
> I have a table with ethernet (MAC) addresses matching IPs. It is
> used to build dhcp config file. But regardless of that any user can
> assign his neighbour ips while that pc is turned off and use it to
> access internet. The local ips are 192.168. and are behind natd.
> I am running 5.3-STABLE and have heard that ipfw2 can in someway
> use MAC addresses, but how do I setup ipfw in such a way that
> it allows certain IP only from one and only one MAC address?
> I hope you are getting my idea.
> 
You would add the following to the end of your IPFW rule for each IP
Address you want to restrict.

 pass all from 192.168.0.10 to any mac any 10:20:30:40:50:60

Where "10:20:30:40:50:60" is the MAC addr for IP addr 192.168.0.10.

Scot