From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 5 22:19:47 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03BB516A41C for ; Tue, 5 Jul 2005 22:19:47 +0000 (GMT) (envelope-from vitadiaz@gmail.com) Received: from smtp207.mail.sc5.yahoo.com (smtp207.mail.sc5.yahoo.com [216.136.129.97]) by mx1.FreeBSD.org (Postfix) with SMTP id D904143D48 for ; Tue, 5 Jul 2005 22:19:46 +0000 (GMT) (envelope-from vitadiaz@gmail.com) Received: (qmail 86493 invoked from network); 5 Jul 2005 22:00:34 -0000 Received: from unknown (HELO ?10.30.10.10?) (vitadiazlistas@201.252.161.141 with plain) by smtp207.mail.sc5.yahoo.com with SMTP; 5 Jul 2005 22:00:33 -0000 Message-ID: <42CB02FB.108@gmail.com> Date: Tue, 05 Jul 2005 19:00:27 -0300 From: vita gmail User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050403) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <1904693964.20050705145004@llwb135.servidoresdns.net> <8eea04080507051118692d783c@mail.gmail.com> <598121599.20050705232925@llwb135.servidoresdns.net> In-Reply-To: <598121599.20050705232925@llwb135.servidoresdns.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 22:19:47 -0000 Excuse very I am interested in learning like allowing and to deny MAC in my network and that I have LAN and WLAN with that I solve the subject of the accesses nonallowed. What they have been writing does not remove to me from the doubt to be able for control of access by MAC, they podrian to me to explain a little but of the subject since to continuation of that I must it does firewall. In an answer of Robert Klein it appears that contol by MAC this dice from layer 2 and layer 3 in the other mail does not appear. The example serves but profit not to understand to me like doing firewall with those data. I am thankful to him from already to all. Excuse my ingles is of translator. vladone wrote: > Hello Jon, > > Tuesday, July 5, 2005, 9:18:20 PM, you wrote: > > >>On 7/5/05, vladone wrote: > > >>>I want to permit only few MAC address to pass on my gateway. > > >>MAC filtering is done at layer 2, so you need to allow ipfw access to >>the layer 2 packets via >>sysctl -w net.link.ether.ipfw=1 > > >>And you may desire rules to only allow arp from certain machines, like: >>allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in >>recv fxp1 layer2 > > >>And traffic, like: >>allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2 > > > >>Because you're going to have packets traversing ipfw up to 4 times >>(layer2 in, layer3 in, layer3 out, layer2 out) you might want to split >>your firewall rules for efficiency, something like: > > >>50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip >>traffic inbound fxp1 >>60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip >>traffic inbound fxp0 >>70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether >>traffic inbound fxp1 >>80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether >>traffic inbound fxp0 > > >>I've done similar things in the past. Hopefully this gives you some ideas. > > > Thanks! Now it seems to be ok. But i dont know how work mac-type. I > see different address passed as parameter like: mac-type 0x809b or mac-type 0x80f3 or mac > -type 0x0023 .... > > ___________________________________________________________ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar