From owner-freebsd-hackers  Wed Aug 30 15:33:55 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail.du.gtn.com (mail.du.gtn.com [194.77.9.57])
	by hub.freebsd.org (Postfix) with ESMTP id AA1B337B422
	for <hackers@FreeBSD.ORG>; Wed, 30 Aug 2000 15:33:52 -0700 (PDT)
Received: from mail.cicely.de (cicely.de [194.231.9.142])
	by mail.du.gtn.com (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e7UMXdK05523
	(using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK);
	Thu, 31 Aug 2000 00:33:41 +0200 (MET DST)
Received: from cicely8.cicely.de (cicely8.cicely.de [10.1.2.10])
	by mail.cicely.de (8.11.0.Beta1/8.11.0.Beta1) with ESMTP id e7UMY1q05811;
	Thu, 31 Aug 2000 00:34:01 +0200 (CEST)
Received: (from ticso@localhost)
	by cicely8.cicely.de (8.11.0/8.9.2) id e7UMXhZ12338;
	Thu, 31 Aug 2000 00:33:43 +0200 (CEST)
	(envelope-from ticso)
Date: Thu, 31 Aug 2000 00:33:42 +0200
From: Bernd Walter <ticso@cicely8.cicely.de>
To: Bill Fumerola <billf@chimesnet.com>
Cc: Jaye Mathisen <mrcpu@internetcds.com>, Simon <simon@optinet.com>,
	"hackers@FreeBSD.ORG" <hackers@FreeBSD.ORG>
Subject: Re: Anyway to ipfw filter based on MAC address?
Message-ID: <20000831003342.A12297@cicely8.cicely.de>
References: <200008290108.TAA26723@mail.fpsn.net> <Pine.BSF.4.21.0008281901000.4933-100000@schizo.cdsnet.net> <20000828233106.T33771@jade.chc-chimes.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <20000828233106.T33771@jade.chc-chimes.com>; from billf@chimesnet.com on Mon, Aug 28, 2000 at 11:31:06PM -0400
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Aug 28, 2000 at 11:31:06PM -0400, Bill Fumerola wrote:
> On Mon, Aug 28, 2000 at 07:02:03PM -0700, Jaye Mathisen wrote:
> > 
> > Just exactly what I said in the Subject.  I want to filter on the ethernet
> > MAC address.
> 
> I guess the "ip" in "ipfw" just wasn't obvious enough that it is an IP firewall
> tool. You're one layer too low.

We already have filter rules to check if a packet would get bridged.
And none IP protocols like IPX get bridged depending on the default rule
of ipfw.
I don't think that ipfw stand for ip only anymore.
But I'm not shure if we still have the MAC address at this layer.

Unfortunately we can't use a fwd action for bridged packets ;(
Anyone with a good idea how to get missings parameters in the bridge
code for calling the firewall check code.
Is it OK to just get emtpy structures?
If I understood it right the bridge checks only at incoming time and
normaly fwd should be used for outgoing packets.
Will this be any big problem?

-- 
B.Walter              COSMO-Project         http://www.cosmo-project.de
ticso@cicely.de         Usergroup           info@cosmo-project.de



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message