From owner-freebsd-questions@FreeBSD.ORG Tue Aug 31 19:42:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ED2816A4CE for ; Tue, 31 Aug 2004 19:42:26 +0000 (GMT) Received: from chello080110061116.502.15.vie.surfer.at (chello080110061116.502.15.vie.surfer.at [80.110.61.116]) by mx1.FreeBSD.org (Postfix) with SMTP id 066D643D48 for ; Tue, 31 Aug 2004 19:42:25 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 13717 invoked from network); 31 Aug 2004 19:42:23 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 31 Aug 2004 19:42:23 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-questions@freebsd.org Date: Tue, 31 Aug 2004 21:42:11 +0200 User-Agent: KMail/1.6.2 References: <001f01c48f74$aa00e460$0401a8c0@SteveWindows> In-Reply-To: <001f01c48f74$aa00e460$0401a8c0@SteveWindows> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_eSNNBhPOh8kiQj4"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200408312142.22683.4711@chello.at> cc: Steve Quezadas Subject: Re: Mac filtering with ipfw2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2004 19:42:26 -0000 --Boundary-02=_eSNNBhPOh8kiQj4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 31 August 2004 18:07, Steve Quezadas wrote: > Hello, > > I have tried and tried and tried to get mac filtering to work with > ipfw2. I have tried the usual sources (Google Groups, google, mailling > list, man pages, etc). Here it goes: > > I basically want to allow traffic to come from one mac address. I am > trying to get the following rule to work: > > ipfw add accept tcp from any to any MAC any 10:20:30:40:50:60 > > Yes, ipfw2 is on my freebsd system. This rule is basically: "allow > traffic from mac address 10:20:30:40:50:60 to anywhere on the > network". > > What am I doing wrong? Did you set the sysctl net.link.ether.ipfw=3D1? You can do this=20 in /etc/sysctl.conf or via the sysctl command. If you want to establish any kind of useful communication, you need to allo= w=20 incoming and outgoing traffic for the specified MAC.=20 # ipfw add pass MAC any 10:20:30:40:50:60 # ipfw add pass MAC 10:20:30:40:50:60 any =20 To use arp requests (which are addressed to ff:ff:ff:ff:ff:ff) you need to= =20 allow them a way out, too. =20 # ipfw add pass MAC any ff:ff:ff:ff:ff:ff=20 Cheers, ch=20 =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --Boundary-02=_eSNNBhPOh8kiQj4 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQBBNNSecyi/EZQbawsRAjn5AJ4n2vRIvT4XNujObG7EvOVo6Gy0ZQCgiLdZ IZPmHUddJYDG13/Pj5+TD1s= =oCRU -----END PGP SIGNATURE----- --Boundary-02=_eSNNBhPOh8kiQj4--