From owner-freebsd-isp@FreeBSD.ORG  Thu Sep 23 16:44:45 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3F53716A4CE
	for <freebsd-isp@freebsd.org>; Thu, 23 Sep 2004 16:44:45 +0000 (GMT)
Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97])
	by mx1.FreeBSD.org (Postfix) with SMTP id 8A0BC43D48
	for <freebsd-isp@freebsd.org>; Thu, 23 Sep 2004 16:44:44 +0000 (GMT)
	(envelope-from jon@abccom.bc.ca)
Received: (qmail 78820 invoked by uid 1000); 23 Sep 2004 16:44:37 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 23 Sep 2004 16:44:37 -0000
Date: Thu, 23 Sep 2004 09:44:37 -0700 (PDT)
From: Jon Simola <jon@abccom.bc.ca>
To: Bikrant Neupane <bikrant_ml@wlink.com.np>
In-Reply-To: <200409231336.57405.bikrant_ml@wlink.com.np>
Message-ID: <20040923091609.K60082-100000@tyberius.abccom.bc.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-isp@freebsd.org
Subject: Re: Ipfw accept rule
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2004 16:44:45 -0000

On Thu, 23 Sep 2004, Bikrant Neupane wrote:

> Here is my rule set:
>
> #skip dependind the pkt layer
> 01000   322    14780 skipto 10000 ip from any to any layer2 in via xl0
> 01100   200    93204 skipto 20000 ip from any to any not layer2
>
> #rule num 10000 to 20000 allocated for layer2 filtering
> #for mac filter: allow only listed mac to send traffic
> 10000    39     1780 allow ip from any to any MAC any 00:00:0e:84:00:83 in via
> xl0
> #default deny all mac coming in from xl0
> 19997   284    13046 deny ip from any to any MAC any any in via xl0

If this is layer2 filtering, where are the layer2 tags in the ipfw rule?
And if this is the extent of your layer 2, then don't forget an allow/deny
default for layer2 packets (allow ip from any to any layer2). Also, you're
only checking your layer2 on a specific interface, perhaps you only have
one.

I've got something like:
00010 skipto 32000 ip from any to any not layer2
00050 deny ip from any to any MAC any 00:30:da:00:00:00/24 layer2 in
00055 count ip from any to any MAC any 00:0b:db:1d:63:56 layer2 in // sniffing for traffic
03100 allow ip from any to any layer2
// bandwidth monitoring pipes
32003 pipe 3 ip from any to any src-ip 10.10.66.0/24 in recv em1
32004 pipe 4 ip from any to any dst-ip 10.10.66.0/24 out xmit em1
65534 allow ip from any to any
65535 deny ip from any to any


---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS