From owner-freebsd-questions@FreeBSD.ORG Tue Apr 15 12:31:59 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8E0337B401; Tue, 15 Apr 2003 12:31:59 -0700 (PDT) Received: from hotmail.com (dav36.sea2.hotmail.com [207.68.164.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0358B43FAF; Tue, 15 Apr 2003 12:31:59 -0700 (PDT) (envelope-from jetman516@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 15 Apr 2003 12:31:58 -0700 Received: from 216.66.58.184 by dav36.sea2.hotmail.com with DAV; Tue, 15 Apr 2003 19:31:57 +0000 X-Originating-IP: [216.66.58.184] X-Originating-Email: [jetman516@hotmail.com] From: "The Jetman" To: "FBSD IPFW" Date: Tue, 15 Apr 2003 15:30:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Message-ID: X-OriginalArrivalTime: 15 Apr 2003 19:31:58.0855 (UTC) FILETIME=[AE6F0170:01C30385] X-Mailman-Approved-At: Wed, 16 Apr 2003 06:12:28 -0700 Subject: Why Does This Work ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: The Jetman List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 19:32:00 -0000 I'm using 4.8-RELEASE to implement MAC-filtering bridge for my wireless network. Altho I am relatively new w/ FBSD (since Apr '02), I've been getting the desired results writing my own rules for IPFW. My 1st attempt w/ IPFW2 was successful, but I can't figure out why ! ${fwcmd} -f flush #### permit all traffic from our wksta to anywhere via our internal iface (1) ${fwcmd} add permit ${ipanyany} MAC any ${wksmac} in via ${iif} ${fwcmd} add permit ${ipanyany} MAC ${wksmac} any out via ${iif} #### permit all traffic from/to the outside iface.... ${fwcmd} add permit ${ipanyany} MAC ${oifmac} any in via ${oif} ${fwcmd} add permit ${ipanyany} MAC any ${oifmac} out via ${oif} #### block anything else coming from/going to the internal iface.... (2) ${fwcmd} add deny log ${ipanyany} MAC any any in via ${iif} (3) ${fwcmd} add allow ${ipanyany} Only rules (1), (2), and (3) fire. Rule (1) fires for obvious reasons (bec it matches the pattern I've anticipated.) Bec of how IP-based IPFW1 rules work, I *thought* one would have to have matching inbound/outbound rules. What's most baffling is that while non-approved MAC addrs are blocked as desired [at rule (2)], but legal traffic is permitted back thru the bridge to its sender [via rule (3).] WHY ???? I'm only showing the simplest example of the scripts I've been experimenting with. I've got other scripts that do permit other MACs thru the bridge (either wireless of Ethernet), so I'm close to what I want. My principal concern is that I don't rely on bogus (ie. broken) behavior of IPFW2, only to discover at some unspecified time in the future, this was never really working and my LAN was never really protected. Or worse still, after I start making the script more complex, something unrelated goes wrong. The only help I've been able to find is a single site, where a guy showed his 1st effort at an IPFW2 script, intended to do the same thing I'm trying to do. Actually, I used his script, as a starting place for my efforts. TIA....Jet =============== From the desk of Jethro Wright, III ================ + Never attribute to malice that which is adequately explained by + + incompetence. + === jetman516@hotmail.com ===================== Hanlon's Razor ===