From owner-freebsd-ipfw@FreeBSD.ORG  Tue Jul  5 17:56:02 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B8EAD16A41C
	for <freebsd-ipfw@freebsd.org>; Tue,  5 Jul 2005 17:56:02 +0000 (GMT)
	(envelope-from RoKlein@roklein.de)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.183])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 508C843D46
	for <freebsd-ipfw@freebsd.org>; Tue,  5 Jul 2005 17:56:02 +0000 (GMT)
	(envelope-from RoKlein@roklein.de)
Received: from p54A92A8C.dip0.t-ipconnect.de [84.169.42.140]
	(helo=[192.168.254.148])
	by mrelayeu.kundenserver.de with ESMTP (Nemesis),
	id 0ML2Dk-1DpreI1TBP-00066l; Tue, 05 Jul 2005 19:55:58 +0200
Message-ID: <42CAC9AA.9040708@roklein.de>
Date: Tue, 05 Jul 2005 19:55:54 +0200
From: Robert Klein <RoKlein@roklein.de>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: de-DE, de, en-us, en
MIME-Version: 1.0
To: vladone <vladone@llwb135.servidoresdns.net>
References: <1904693964.20050705145004@llwb135.servidoresdns.net>
In-Reply-To: <1904693964.20050705145004@llwb135.servidoresdns.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	login:ed18d71deac0f49a40655750752d3db9
Cc: freebsd-ipfw@freebsd.org
Subject: Re: rules to permit only few MAC address
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2005 17:56:02 -0000

vladone schrieb:

>I want to permit only few MAC address to pass on my gateway.
>I put in my script this line:
>ipfw -q -f flush
>cmd="/sbin/ipfw -q"
>oif="rl0"
>pif="fxp1"
>
>$cmd add 110 skipto 5000 MAC any 00:0e:a6:81:40:3e in via $pif
>$cmd add 120 skipto 5000 MAC any 00:50:8b:6b:0c:b2 in via $pif
>..............................................................
>$cmd add 500 deny log MAC any any in via $pif
>
>$cmd add 5000 divert natd all from any to any via $oif
>
>but not work (block legitimate traffic). How i can do this job?
>  
>

mmm, if I'm right, network trafffic pases through IPFW2 twice, first on 
layer 2 and later on layer 3, so you have to allow traffic on layer three...
ok, the interface was an fxp a long time ago, so I still use $FXP, 
though the interface is an em, now.....:P

Here's a part of my code:

#!/bin/sh
IPFW=/sbin/ipfw

ALL="add allow MAC any  "
FXP="in via em0"
$IPFW -q flush
$IPFW -q pipe flush

# allow everything not on layer 2
 $IPFW add allow all from any to any not layer2

# localhost traffic
 $IPFW add allow layer2 via lo0

# outbound interface
 $IPFW add allow layer2 via tun0

# out via em0;
 $IPFW add allow layer2 out via em0

# in via em0; hostile internal network
 $IPFW $ALL xx:xx:xx:xx:xx:xx $FXP
 $IPFW $ALL yy:yy:yy:yy:yy:yy $FXP
....

$IPFW add deny log logamount 0 MAC any any $FXP0

regards,
Robert