Date: Sat, 8 Jan 2005 15:43:09 +0100 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Cc: "heath, Chia Hui Chen" <heath0504@gmail.com> Subject: Re: ipfw + MAC nothing happens? Message-ID: <200501081543.24318.4711@chello.at> In-Reply-To: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 08 January 2005 14:20, heath, Chia Hui Chen wrote: > Hello, > I use FreeBSD 5.2.1 as NAT. > I wanna limit the 443 port of a computer based on MAC address. > So I use ipfw. > # ipfw add 500 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx > But nothing happens, can anybody tells me why? Did you set 'sysctl net.link.ether.ipfw=1'? And you mix up layer-2 and layer-3 filtering in your rule (read paragraph "PACKET FLOW" in 'man ipfw'). I think you need to do some magic with skipto rules to make this work: ipfw add 500 skipto 1000 MAC any 00:e0:18:62:xx:xx ipfw add 600 skipto 2000 MAC any any # target of rule 500 ipfw add 1000 deny tcp from any to any 443 # target of rule 600 ipfw add 2000 ... [continue with your normal rules here] It's only an idea how your problem could be solved, I never tested this. Cheers, ch - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB3/GM09WjGjvKU74RAtdgAJwPDu/r9mHU3UvosOub+Ayj7OS07gCfbx1v l0UKt60Joj+ctj2pZzmPxB4= =0rg0 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501081543.24318.4711>