From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 2 06:23:14 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCE7F16A41A for ; Thu, 2 Aug 2007 06:23:14 +0000 (UTC) (envelope-from danny@dannysplace.net) Received: from mail.dannysplace.net (mail.dannysplace.net [213.133.54.210]) by mx1.freebsd.org (Postfix) with ESMTP id 7CB9F13C45E for ; Thu, 2 Aug 2007 06:23:14 +0000 (UTC) (envelope-from danny@dannysplace.net) Received: from 124-171-210-201.dyn.iinet.net.au ([124.171.210.201] helo=[192.168.10.2]) by mail.dannysplace.net with esmtpa (Exim 4.62 (FreeBSD)) (envelope-from ) id 1IGTVW-000AxQ-Ga for freebsd-ipfw@freebsd.org; Thu, 02 Aug 2007 15:46:02 +1000 Message-ID: <46B170F0.3020702@dannysplace.net> Date: Thu, 02 Aug 2007 15:51:44 +1000 From: Danny Carroll User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 124.171.210.201 X-SA-Exim-Mail-From: danny@dannysplace.net X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on ferrari.dannysplace.net X-Spam-Level: X-Spam-Status: No, score=0.2 required=8.0 tests=ALL_TRUSTED,AWL, DKIM_POLICY_SIGNSOME,TVD_RCVD_IP autolearn=disabled version=3.2.1 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail.dannysplace.net) Subject: IPFW Mac filter confusion. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 06:23:14 -0000 Hello, I am trying to deny traffic based on MAC address. My freebsd (6.2) box is acting as a gateway. The wireless clients connect on ath0 and the wired network is connected on fxp0. Default route is vi fax0 to the internet gateway. Arp table is: freebsd# arp -a ? (10.0.249.254) at 00:12:6f:11:22:25 on ath0 [ethernet] ? (192.168.10.1) at 00:02:e2:d0:6b:a1 on fxp0 [ethernet] 192.168.10.1 is the gateway and 10.0.249.254 is the host I wish to prohibit. Here are my rules. freebsd# ipfw list 00050 deny ip from any to any MAC 00:12:6f:11:22:25 any 00050 deny ip from any to any MAC any 00:12:6f:11:22:25 65535 allow ip from any to any If I add rules such as: 00050 deny ip from 10.0.249.254 to any 00050 deny ip from any to 10.0.249.254 Then the firewall works as I would expect. I think I must be misunderstanding how the MAC option to ipfw works. The man page is not terribly helpful so I was wondering if someone can enlighten me. -Danny