From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 5 18:18:21 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C1D816A41C for ; Tue, 5 Jul 2005 18:18:21 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35B0743D49 for ; Tue, 5 Jul 2005 18:18:21 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 36so959141wra for ; Tue, 05 Jul 2005 11:18:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=F7WnYTqRG9FHrauMIp0uMvBCK39we+xza0fiU8ks8t2F2K7eSROiUBTz6plNgwC/GEvogtgUSHdFAJS4MlLoUR4I/ldcKPFXldS7H+tbWy6PLDWp+YUVoC0fPjesFtG9v9vxcRERgntFSIIBwVJJFRuBaf+ehSJALEm8K7eP7Ok= Received: by 10.54.2.42 with SMTP id 42mr344532wrb; Tue, 05 Jul 2005 11:18:20 -0700 (PDT) Received: by 10.54.39.65 with HTTP; Tue, 5 Jul 2005 11:18:20 -0700 (PDT) Message-ID: <8eea04080507051118692d783c@mail.gmail.com> Date: Tue, 5 Jul 2005 11:18:20 -0700 From: Jon Simola To: freebsd-ipfw@freebsd.org In-Reply-To: <1904693964.20050705145004@llwb135.servidoresdns.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1904693964.20050705145004@llwb135.servidoresdns.net> Subject: Re: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 18:18:21 -0000 On 7/5/05, vladone wrote: > I want to permit only few MAC address to pass on my gateway. MAC filtering is done at layer 2, so you need to allow ipfw access to the layer 2 packets via sysctl -w net.link.ether.ipfw=3D1 And you may desire rules to only allow arp from certain machines, like: allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in recv fxp1 layer2 And traffic, like: allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2 Because you're going to have packets traversing ipfw up to 4 times (layer2 in, layer3 in, layer3 out, layer2 out) you might want to split your firewall rules for efficiency, something like: 50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip traffic inbound fxp1 60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip traffic inbound fxp0 70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether traffic inbound fxp1 80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether traffic inbound fxp0 I've done similar things in the past. Hopefully this gives you some ideas. --=20 Jon Simola Systems Administrator ABC Communications