Date: Fri, 27 Apr 2007 01:54:18 +0300 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org Subject: ipfw with nat - allowing by MAC address Message-ID: <937e203f0704261554i701849d4j6ecf265490d8252b@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Yeah! People, we can congratulate ourselves! We've done it! With a few
modifications I've finally found the smallest working MAC filtered NAT
system. So here's what I ended up with - I'm including the queues just for
the entirety of the ruleset, they have nothing to do with the filtering.
00100 allow ip from any to me not dst-port 8668 via xl0
00101 allow ip from me not 8668 to any via xl0
00300 allow ip from any to any { MAC 00:19:d2:36:b8:48 any or MAC any
00:19:d2:36:b8:48 } layer2
00800 deny log logamount 200 ip from any to any MAC any any layer2 via xl0
01203 divert 8668 ip from 192.168.1.0/24 to any out via fxp0
01205 divert 8668 ip from any to me in via fxp0
01250 queue 1 ip from any to any src-port 80 not layer2 via fxp0
01251 queue 1 ip from any to any dst-port 80 not layer2 via fxp0
01300 queue 2 ip from any to any not src-port 80 not layer2 via fxp0
01500 allow ip from any to any
65535 deny ip from any to any
Just one note - when I first reached this conclusion I had two very
strange *blackouts*. As if the 100 and the 101 rule just suddenly stop
working and I'm left out of the box e.g. I can't ssh in although the
diverting still works - I can ping hosts on the Internet. It seems to be
fine now and once I gain some knowledge I'm probably going to expand this
ruleset, but for now I've accomplished my goal!
I have all of you to thank for that! Even though it wasn't easy /mostly
because of my ignorance I'm sure/ you pulled me through.
Respect.
One last request - if someone happens to have some free time and wishes to
donate it to me I'd really like to better understand the whole *layer*
thing. I have searched the Internet for answers on this as well as read the
ipfw man page, but I can't really understand it.
\/ Peace.
--
mEsS wItH tHe bEsT
dIE liKe tHe rESt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?937e203f0704261554i701849d4j6ecf265490d8252b>