From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 14:43:28 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7FFE16A4CE for ; Sat, 8 Jan 2005 14:43:28 +0000 (GMT) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id 1061D43D46 for ; Sat, 8 Jan 2005 14:43:27 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 36994 invoked from network); 8 Jan 2005 14:43:24 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 8 Jan 2005 14:43:24 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Sat, 8 Jan 2005 15:43:09 +0100 User-Agent: KMail/1.7 References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> In-Reply-To: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200501081543.24318.4711@chello.at> cc: "heath, Chia Hui Chen" Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 14:43:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 08 January 2005 14:20, heath, Chia Hui Chen wrote: > Hello, > I use FreeBSD 5.2.1 as NAT. > I wanna limit the 443 port of a computer based on MAC address. > So I use ipfw. > # ipfw add 500 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx > But nothing happens, can anybody tells me why? Did you set 'sysctl net.link.ether.ipfw=1'? And you mix up layer-2 and layer-3 filtering in your rule (read paragraph "PACKET FLOW" in 'man ipfw'). I think you need to do some magic with skipto rules to make this work: ipfw add 500 skipto 1000 MAC any 00:e0:18:62:xx:xx ipfw add 600 skipto 2000 MAC any any # target of rule 500 ipfw add 1000 deny tcp from any to any 443 # target of rule 600 ipfw add 2000 ... [continue with your normal rules here] It's only an idea how your problem could be solved, I never tested this. Cheers, ch - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB3/GM09WjGjvKU74RAtdgAJwPDu/r9mHU3UvosOub+Ayj7OS07gCfbx1v l0UKt60Joj+ctj2pZzmPxB4= =0rg0 -----END PGP SIGNATURE-----