Date: Mon, 8 Dec 2003 15:02:43 -0800 (PST) From: Jon Simola <jon@abccom.bc.ca> To: freebsd-ipfw@freebsd.org Subject: Re: Translate MAC address to IP address Message-ID: <20031208145606.C54324-100000@tyberius.abccom.bc.ca> In-Reply-To: <007301c3bdd5$28713f60$3200a8c0@CBCOFFICE>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 8 Dec 2003, The Jetman wrote: > Mike: Am I mistaken or can MAC-oriented IPFW2 rules be used along side > IP-oriented rules ? I ask bec I setup a very simple script that would filter > all but a couple of MAC addrs then fwd incoming IPs to an internal web > site. I *thought* I tried all of the reasonable combinations, but I TOO > would like to know more about this. That is, I can filter certain MAC addrs > *OR* I can filter/forward certain IPS, but I can't do both in the same IPFW > script. Later....Jet >From my current ruleset: 00007 deny ip from any to any MAC 00:40:05:2f:03:40 any not mac-type 0x0800 00007 deny ip from any to any MAC any 00:40:05:2f:03:40 not mac-type 0x0800 // MAC conflicting with 208.181.67.113 00011 allow ip from any to any layer2 not mac-type 0x0800 // allow ARP 00017 deny ip from any to any MAC 00:40:05:2f:03:40 any 00017 deny ip from any to any MAC any 00:40:05:2f:03:40 // MAC conflicting with 208.181.67.113 00023 deny icmp from 208.181.67.238 to any // mass pings 00030 deny ip from 208.181.165.59 to any // request for cancelled customer 00030 deny ip from any to 208.181.165.59 I've also in the past used rules specifying both the IP and MAC to disable customers using the wrong IP, but the MAC address filtering just shuts down their machine entirely. Rule 7 denies ARP through the bridge for that mac address, and rule 17 denies all other traffic. I have both so that customers can't poison ARP caches (7), and to make the block happen instantaenously (17). --- Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031208145606.C54324-100000>