Date: Tue, 5 Jul 2005 11:18:20 -0700 From: Jon Simola <jsimola@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Re: rules to permit only few MAC address Message-ID: <8eea04080507051118692d783c@mail.gmail.com> In-Reply-To: <1904693964.20050705145004@llwb135.servidoresdns.net> References: <1904693964.20050705145004@llwb135.servidoresdns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/5/05, vladone <vladone@llwb135.servidoresdns.net> wrote: > I want to permit only few MAC address to pass on my gateway. MAC filtering is done at layer 2, so you need to allow ipfw access to the layer 2 packets via sysctl -w net.link.ether.ipfw=3D1 And you may desire rules to only allow arp from certain machines, like: allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in recv fxp1 layer2 And traffic, like: allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2 Because you're going to have packets traversing ipfw up to 4 times (layer2 in, layer3 in, layer3 out, layer2 out) you might want to split your firewall rules for efficiency, something like: 50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip traffic inbound fxp1 60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip traffic inbound fxp0 70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether traffic inbound fxp1 80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether traffic inbound fxp0 I've done similar things in the past. Hopefully this gives you some ideas. --=20 Jon Simola Systems Administrator ABC Communications
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8eea04080507051118692d783c>