From owner-freebsd-stable@FreeBSD.ORG  Thu Jan 31 15:58:08 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B4E5A16A417
	for <freebsd-stable@freebsd.org>; Thu, 31 Jan 2008 15:58:08 +0000 (UTC)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su
	[213.184.65.80])
	by mx1.freebsd.org (Postfix) with ESMTP id 0D89313C442
	for <freebsd-stable@freebsd.org>; Thu, 31 Jan 2008 15:58:07 +0000 (UTC)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1])
	by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m0VFvvjN058105;
	Thu, 31 Jan 2008 22:57:57 +0700 (KRAT)
	(envelope-from eugen@www.svzserv.kemerovo.su)
Received: (from eugen@localhost)
	by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m0VFvqwE058101;
	Thu, 31 Jan 2008 22:57:52 +0700 (KRAT) (envelope-from eugen)
Date: Thu, 31 Jan 2008 22:57:52 +0700
From: Eugene Grosbein <eugen@kuzbass.ru>
To: Szemer?dy G?bor <gaborszem@eccf.su.ac.yu>
Message-ID: <20080131155752.GA56720@svzserv.kemerovo.su>
References: <47A213DD.1060806@eccf.su.ac.yu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <47A213DD.1060806@eccf.su.ac.yu>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-stable@freebsd.org
Subject: Re: Allowing access to IP/MAC pairs only
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jan 2008 15:58:08 -0000

On Thu, Jan 31, 2008 at 10:30:53AM -0800, Szemer?dy G?bor wrote:

> We have feeBSD 6.2 machines with local subnets on the servers and would 
> like to allow access to the internet only for workstations with exact 
> IP/MAC pairs and deny access for not predefined pairs.
> Is there a solution in firewall settings?

You need not any firewall for that.
Just use "ifconfig em0 staticarp" disable ARP table updates
for interface em0 (replace em0 with your interface name)
and load IP/MAC pairs into ARP table with "arp -f arps_em0" command
where file named "arps_em0" contains those pairs:

10.10.10.10 00:11:22:33:44:55
10.10.10.11 00:11:22:33:44:56
10.10.10.12 00:11:22:33:44:57
 
Eugene Grosbein