From owner-freebsd-net@FreeBSD.ORG Thu May 14 06:53:30 2009 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1BBE1065673 for ; Thu, 14 May 2009 06:53:30 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 3CF828FC1A for ; Thu, 14 May 2009 06:53:29 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n4E6HsRS044674; Thu, 14 May 2009 16:17:55 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 14 May 2009 16:17:54 +1000 (EST) From: Ian Smith To: Brett Glass In-Reply-To: <200905131648.KAA15455@lariat.net> Message-ID: <20090514155226.Y46325@sola.nimnet.asn.au> References: <200905131648.KAA15455@lariat.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: net@freebsd.org Subject: Re: MAC locking and filtering in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2009 06:53:31 -0000 On Wed, 13 May 2009, Brett Glass wrote: > I need to find a way to do "MAC address locking" in FreeBSD -- that is, to > ensure that only a machine with a particular MAC address can use a particular > IP address. Unfortunately, it appears that rules in FreeBSD's IPFW are > "stuck" on one layer: rules that look at Layer 2 information in a packet > can't look at Layer 3, and vice versa. Is there a way to work around this to > do MAC address locking and/or other functions that involve looking at Layer 2 > and Layer 3 simultaneously? You can use fixed leases with MAC specified in dhcp for that, with or without specifying a range of addresses available to boxes with unknown MACs. An org I'm working for uses just that method to good effect. You can also specify a different (eg) router address for non-fixed leases, towards your 'captive portal' requirement for new boxes. Re ipfw(8), I'm not clear on what your problem is: the section PACKET FLOW shows clearly how to distinguish layer 2 from layer 3 traffic. Your 'vice versa' here isn't correct; you can select by layer 3 criteria on packets from ether_demux, though of course once (or if) they get to re-enter the firewall at layer 3 (from ip_input) you can't see/test MAC addresses anymore. 'simultaneously' isn't really the case then; clearly the layer 2 pass occurs first on input, and last on output. cheers, Ian