From owner-freebsd-questions@FreeBSD.ORG Tue May 25 11:19:46 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A64516A4CE for ; Tue, 25 May 2004 11:19:46 -0700 (PDT) Received: from chello080110061116.502.15.vie.surfer.at (chello080110061116.502.15.vie.surfer.at [80.110.61.116]) by mx1.FreeBSD.org (Postfix) with SMTP id 492CB43D49 for ; Tue, 25 May 2004 11:19:45 -0700 (PDT) (envelope-from 4711@chello.at) Received: (qmail 19055 invoked from network); 25 May 2004 18:19:16 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 25 May 2004 18:19:16 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-questions@freebsd.org Date: Tue, 25 May 2004 20:19:05 +0200 User-Agent: KMail/1.6.2 References: <48AEC8F6-AE64-11D8-A8D9-000A957911BA@netlinkip.com> In-Reply-To: <48AEC8F6-AE64-11D8-A8D9-000A957911BA@netlinkip.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_k44sAIJGw0GAIdC"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200405252019.16593.4711@chello.at> cc: "Elijah A.Chancey" Subject: Re: IPFW2 Mac Address Filtering X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 May 2004 18:19:46 -0000 --Boundary-02=_k44sAIJGw0GAIdC Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 25 May 2004 17:57, Elijah A.Chancey wrote: > I've searched high and low, and have read many times that doing mac > address filtering with ipfw is possible. > > I'm running 4.9, have recompiled the kernel with 'options ipfw2', and > have recompiled libalias & ipfw with ipfw2 support. > > I've read through the man pages, and I can't make this particular rule > work. > > I need to block all IP packets EXCEPT for packets coming from specific > MAC addresses. > > Can anyone give me an example of specifically how I should form this > rule? > > Elijah Chancey > NetlinkIP Sysadmin > Don't forget to set sysctl net.link.ether.ipfw=3D1. [...] # eth0: MAC of firewall NIC # eth1: MAC of NIC to allow # eth_broadcast: broadcast address =20 eth0=3D"00:04:00:00:00:01" eth1=3D"00:04:00:00:00:02" eth_broadcast=3D"ff:ff:ff:ff:ff:ff" ${fwcmd} add pass MAC ${eth0} ${eth1} =20 ${fwcmd} add pass MAC ${eth1} ${eth0} ${fwcmd} add pass MAC ${eth_broadcast} ${eth0} ${fwcmd} add pass MAC ${eth_broadcast} ${eth1} [...] regards ch =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --Boundary-02=_k44sAIJGw0GAIdC Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAs44kcyi/EZQbawsRArHIAKCBe2aI5LTtwH5NyD0ZN3jtFGcnmQCfR7fD gvDxkbL5rLiSp5hJNeQAXu8= =7wvw -----END PGP SIGNATURE----- --Boundary-02=_k44sAIJGw0GAIdC--