From owner-freebsd-questions@FreeBSD.ORG Mon Apr 21 08:35:57 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A440137B401 for ; Mon, 21 Apr 2003 08:35:57 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id B320B43FB1 for ; Mon, 21 Apr 2003 08:35:56 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com[24.147.188.198]) by sccrmhc02.attbi.com (sccrmhc02) with ESMTP id <200304211535560020028d3me>; Mon, 21 Apr 2003 15:35:56 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.9/8.12.7) with ESMTP id h3LFZtsO002016; Mon, 21 Apr 2003 11:35:55 -0400 (EDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h3LFZs7j002013; Mon, 21 Apr 2003 11:35:54 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: The Jetman References: From: Lowell Gilbert Date: 21 Apr 2003 11:35:54 -0400 In-Reply-To: Message-ID: <44k7dnoobp.fsf@be-well.ilk.org> Lines: 31 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: FBSD Questions Subject: Re: [Q-4.8-R] Can Anyone Help With Questions About MAC Filtering and IPFW2 ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: FBSD Questions List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 15:35:57 -0000 "The Jetman" writes: It's somewhat difficult to read and make sense out of your message. > I'm using 4.8-RELEASE to implement MAC-filtering bridge for my > wireless network. Altho I am relatively new w/ FBSD (since Apr '02), > I've been getting the desired results writing my own rules for IPFW. My > 1st attempt w/ IPFW2 was successful, but I can't figure out why ! > ${fwcmd} -f flush > #### permit all traffic from our wksta to anywhere via our internal iface > (1) ${fwcmd} add permit ${ipanyany} MAC any ${wksmac} in via ${iif} > ${fwcmd} add permit ${ipanyany} MAC ${wksmac} any out via ${iif} > #### permit all traffic from/to the outside iface.... > ${fwcmd} add permit ${ipanyany} MAC ${oifmac} any in via ${oif} > ${fwcmd} add permit ${ipanyany} MAC any ${oifmac} out via ${oif} > #### block anything else coming from/going to the internal iface.... > (2) ${fwcmd} add deny log ${ipanyany} MAC any any in via ${iif} > (3) ${fwcmd} add allow ${ipanyany} > > Only rules (1), (2), and (3) fire. Rule (1) fires for obvious > reasons (bec it matches the pattern I've anticipated.) Bec of how IP-based > IPFW1 rules work, I *thought* one would have to have matching inbound/outbound > rules. What's most baffling is that while non-approved MAC addrs are blocked > as desired [at rule (2)], but legal traffic is permitted back thru the bridge > to its sender [via rule (3).] WHY ???? I'm not clear to me how a bare IP address (without "to" or "from" or option keyword) is supposed to be interpreted. Does it matter if you add those in?