Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Jun 2015 10:24:05 +0200
From:      Guido Falsi <mad@madpilot.net>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        John Reynolds <johnjen@reynoldsnet.org>, freebsd-net@freebsd.org
Subject:   Re: question on NAT + IPFW
Message-ID:  <557A9725.7050506@madpilot.net>
In-Reply-To: <20150612174047.Q74737@sola.nimnet.asn.au>
References:  <557A48A2.4090805@reynoldsnet.org> <557A80F8.1070109@madpilot.net> <557A835C.1090106@madpilot.net> <20150612174047.Q74737@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 06/12/15 10:07, Ian Smith wrote:
> On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote:
> 
>  > > looks correct, assuming xl0 is your internal interface (better put it in
>  > > a variable and use the variable in your rules imho)
>  > 
>  > Forgot one thing, working around this block is as easy as changing the
>  > machine IP, teenager can learn this easily and it can be done in a lot
>  > of ways, even if they are not root(or equivalent) on their machine, they
>  > can just boot from a CD with some live OS. You could have a better block
>  > by also checking the MAC address, like this:
>  > 
>  > $cmd 021 deny log MAC any 00:aa:00:00:00:00:01 via xl0
>  > 
>  > (not tested)
>  > 
>  > MAC addresses can be modified too but it's somewhat more difficult.
> 
> While that's all true, blocking at layer 2 requires extra work that may 
> be beyond what's needed here, to have ipfw deal with layer 2 traffic.
> 
> sysctl net.link.ether.ipfw=1 must be set for ipfw to see layer 2 packets 
> at all, and then you'd need to follow ipfw(8) section PACKET FLOW to 
> separate the layer 2 and 3 traffic in order to look at MAC addresses on 
> the appropriate one of the extra two passes through ipfw this entails.
> 

Uhm, I forgot to check these details. Yes, layer 2 is a lot more work
anyway, I avoid it if possible.

I also did not read carefully the example given, my fault on that too :)

-- 
Guido Falsi <mad@madpilot.net>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557A9725.7050506>