Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Feb 2006 23:13:39 +0100
From:      Christian Hiris <4711@chello.at>
To:        freebsd-ipfw@freebsd.org
Cc:        Cesar <listas@itm.net.br>
Subject:   Re: ipfw2 with mac filtering
Message-ID:  <200602232314.27469.4711@chello.at>
In-Reply-To: <000a01c636f0$d3303280$0e4fdfc8@ironman>
References:  <000a01c636f0$d3303280$0e4fdfc8@ironman>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart1230990.cPBLtTPycz
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Tuesday, 21. February 2006 15:12, Cesar wrote:
> Hi,
>
>    I wanted to finish my firewall rules doing a "deny all from any to any=
",
> but I can't do that with mac filtering at same time. Let me explain.
>
>    Since I use ipfw mac filter, I have the sysctl variable
> "net.link.ether.ipfw: 1";
>
>    My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2.
>
>    An example of my rules:
>
>    00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any
>    00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any
>    65535 0 0 allow ip from any to any
>
>   This works fine, the rules 1 and 2 get some match when I do ping from
> Windows box to FreeBSD.
>   After this test, I added the rule "65534 0 0 deny ip from any to any".
>   It still works, but after some time if I have no traffic from 10.0.0.2,
> FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", I
> get :
>
>   ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet]

Set up rules that allow arp broadcasts like:

ipfw add pass MAC any ff:ff:ff:ff:ff:ff
ipfw add pass MAC ff:ff:ff:ff:ff:ff any

Cheers=20
ch

=2D-=20
Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE=20
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu

--nextPart1230990.cPBLtTPycz
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQBD/jPD09WjGjvKU74RAhoSAJ0SogdBAcap4WC2E6RDaSjChUIunACfV56R
e7yGK2pN6gY0DILZ3ru0tYs=
=nRpn
-----END PGP SIGNATURE-----

--nextPart1230990.cPBLtTPycz--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602232314.27469.4711>