From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 18:52:29 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4586716A417 for ; Thu, 30 Aug 2007 18:52:29 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 2C2BA13C458 for ; Thu, 30 Aug 2007 18:52:29 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out3.apple.com (Postfix) with ESMTP id 203AEFD8847; Thu, 30 Aug 2007 11:33:52 -0700 (PDT) Received: from relay11.apple.com (unknown [127.0.0.1]) by relay11.apple.com (Symantec Mail Security) with ESMTP id F123328063; Thu, 30 Aug 2007 11:33:51 -0700 (PDT) X-AuditID: 11807130-a79a2bb000006012-cd-46d70d8f3bf0 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay11.apple.com (Symantec Mail Security) with ESMTP id 1211B28051; Thu, 30 Aug 2007 11:33:51 -0700 (PDT) In-Reply-To: <46D6CF7A.9080502@wilorc.co.uk> References: <46D6CF7A.9080502@wilorc.co.uk> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Thu, 30 Aug 2007 11:33:50 -0700 To: paul@wilorc.co.uk X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 deep packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 18:52:29 -0000 On Aug 30, 2007, at 7:08 AM, Paul Bridger wrote: > I would like to understand if it's possible to discover the real > MAC address of a packet that has been NAT'd by another device. No. You can only get the real MACs of devices by listening on the same subnet that the traffic originates from; once it passes through a router (with NAT enabled or not, doesn't matter), you only see the MAC of the device which passed that traffic along. > The scenario for using this would be for hosts on a wireless LAN > that connect to a wireles router which NAT's their connection and > then routes the packets to another LAN (across a wire) where a > FreeBSD server performs firewall packet filtering via ipfw2. As > all the connections from the hosts on the wireless LAN have had > their MAC and IP addresses NAT'd to that of the wireless router, it > is difficult to distinguish between hosts, unless some form of deep > packet inspection could be performed to discover the true MAC > address. Is this something that would be possible with ipfw2? Nope. You'd need to do your firewall inspection of your wireless router, not on the FreeBSD box. -- -Chuck