From owner-freebsd-questions@FreeBSD.ORG Mon Aug 15 22:43:02 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAEA016A41F for ; Mon, 15 Aug 2005 22:43:02 +0000 (GMT) (envelope-from nalists@scls.lib.wi.us) Received: from mail.scls.lib.wi.us (mail.scls.lib.wi.us [198.150.40.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53A5F43D45 for ; Mon, 15 Aug 2005 22:43:02 +0000 (GMT) (envelope-from nalists@scls.lib.wi.us) Received: from [172.26.2.238] ([172.26.2.238]) by mail.scls.lib.wi.us (8.12.9p2/8.12.9) with ESMTP id j7FMh1G1019146; Mon, 15 Aug 2005 17:43:01 -0500 (CDT) (envelope-from nalists@scls.lib.wi.us) Message-ID: <430119B7.6040409@scls.lib.wi.us> Date: Mon, 15 Aug 2005 17:39:51 -0500 From: Greg Barniskis User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <534500571.20050815232810@spaingsm.com> <20050815211711.GB70491@slackbox.xs4all.nl> In-Reply-To: <20050815211711.GB70491@slackbox.xs4all.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: vladone Subject: Re: i can't block win98 computers X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2005 22:43:02 -0000 Roland Smith wrote: > On Mon, Aug 15, 2005 at 11:28:10PM +0300, vladone wrote: > >>Hi! >>I try to block some computers to acces my gateway based on MAC >>address. >>I use this ipfw rule: >> ipfw add 100 deny mac any xx:yy:aa:bb:cc:dd in via $private_interface >>With this i can block XP computers but not work with Win98. I dont >>understand what is happened! > > > As the ipfw manpage states, you can filter on layer-2 header fields (of > which the MAC address is one) _where available_. > > It could be that Win98 doesn't correctly list the MAC address in the > packets. You could try using tcpdump to check the packets. > > Roland I think you could correct this problem by reversing the rule construction. Instead of denying all the bad MACs, create rules that permit all the good MACs and that deny all other traffic. All packets with unidentified MACs would then get dropped. Of course, this won't work if you have some Win98 boxes that you'd like to pass, and some that you'd like to drop. Otherwise, maybe you could fix the problem by installing FreeBSD on all the Win98 machines. 8) -- Greg Barniskis, Computer Systems Integrator South Central Library System (SCLS) Library Interchange Network (LINK) , (608) 266-6348