Date: Sun, 9 Jan 2005 00:14:40 +0800 From: "heath, Chia Hui Chen" <heath0504@gmail.com> To: <freebsd-ipfw@freebsd.org> Subject: Re: ipfw + MAC nothing happens? Message-ID: <00e401c4f59d$2a4804d0$f8813b3d@linuxlmx20ji5l> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501081543.24318.4711@chello.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks. I try it, but something wrong. 00050 22484 11388448 divert 8668 ip from any to any via fxp0 00100 4414 2006448 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 52 4053 skipto 1000 ip from any to any MAC any 00:e0:18:62:xx:xx 00600 7008 3465293 skipto 65000 ip from any to any MAC any any 01000 33 1584 deny tcp from any to any dst-port 443 65000 46408 25226370 allow ip from any to any 65535 0 0 deny ip from any to any It looks like all my computer at the NAT are deny to access port 443. Can you plz tell me what's wrong? Thank you again. ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: <freebsd-ipfw@freebsd.org> Cc: "heath, Chia Hui Chen" <heath0504@gmail.com> Sent: Saturday, January 08, 2005 10:43 PM Subject: Re: ipfw + MAC nothing happens? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 08 January 2005 14:20, heath, Chia Hui Chen wrote: > > Hello, > > I use FreeBSD 5.2.1 as NAT. > > I wanna limit the 443 port of a computer based on MAC address. > > So I use ipfw. > > # ipfw add 500 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx > > But nothing happens, can anybody tells me why? > > Did you set 'sysctl net.link.ether.ipfw=1'? And you mix up layer-2 and layer-3 > filtering in your rule (read paragraph "PACKET FLOW" in 'man ipfw'). I think > you need to do some magic with skipto rules to make this work: > > ipfw add 500 skipto 1000 MAC any 00:e0:18:62:xx:xx > ipfw add 600 skipto 2000 MAC any any > > # target of rule 500 > ipfw add 1000 deny tcp from any to any 443 > > # target of rule 600 > ipfw add 2000 ... [continue with your normal rules here] > > It's only an idea how your problem could be solved, I never tested this. > > Cheers, > ch > > - -- > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (FreeBSD) > > iD8DBQFB3/GM09WjGjvKU74RAtdgAJwPDu/r9mHU3UvosOub+Ayj7OS07gCfbx1v > l0UKt60Joj+ctj2pZzmPxB4= > =0rg0 > -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00e401c4f59d$2a4804d0$f8813b3d>