From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 22 13:06:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B212137B401 for ; Tue, 22 Apr 2003 13:06:12 -0700 (PDT) Received: from BAY0-HMR13.adinternal.hotmail.com (bay0-hmr13.bay0.hotmail.com [65.54.241.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1942D43FAF for ; Tue, 22 Apr 2003 13:06:12 -0700 (PDT) (envelope-from jetman516@hotmail.com) Received: from hotmail.com ([207.68.164.82]) by BAY0-HMR13.adinternal.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 22 Apr 2003 13:06:11 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 22 Apr 2003 13:06:11 -0700 Received: from 216.66.58.184 by DAV25.sea2.internal.hotmail.com with DAV; Tue, 22 Apr 2003 20:06:11 +0000 X-Originating-IP: [216.66.58.184] X-Originating-Email: [jetman516@hotmail.com] From: "The Jetman" To: "FBSD IPFW" Date: Tue, 22 Apr 2003 12:48:29 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Message-ID: X-OriginalArrivalTime: 22 Apr 2003 20:06:11.0650 (UTC) FILETIME=[9EE2EA20:01C3090A] Subject: [Q2-4.8-R] Can Anyone Help With Questions About MAC Filtering and IPFW2 ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: The Jetman List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 20:06:13 -0000 I'm using 4.8-RELEASE to implement MAC-filtering bridge for my wireless network. Altho I am relatively new w/ FBSD (since Apr '02), I've been getting the desired results writing my own rules for IPFW. My 1st attempt w/ IPFW2 was successful, but I can't figure out why ! dc0 is the incoming (the anonymous one, w/o an IP addr) interface. 00100 allow ip from any to any MAC any a:b:c:d:e:f in via dc0 00200 allow ip from any to any MAC a:b:c:d:e:f any out via dc0 00300 allow ip from any to any MAC b:c:d:e:f:g any in via dc0 00400 allow ip from any to any MAC any b:c:d:e:f:g out via dc0 00500 deny log ip from any to any MAC any any in via dc0 00600 allow ip from any to any 65535 allow ip from any to any Only rules 100, 200, 500, and 600 fire. Rules 100 and 200 fire for obvious reasons (bec they match the patterns I've anticipated.) Bec of how IP-based IPFW1 rules work, I *thought* one would have to have matching inbound/outbound rules WRT to MAC filtering. What's most baffling is that non-approved MAC addrs are blocked as desired [at rule 500] as hoped, but legal traffic is permitted back thru the bridge to its sender [via rule 600.] WHY ???? I'm only showing the simplest example of the scripts I've been experimenting with. I've got other scripts that do permit other MACs thru the bridge (either wireless of Ethernet) while blocking everyone else, so I'm very close to what I want. My principal concern is that I don't rely on bogus (ie. broken) behavior of IPFW2, only to discover at some unspecified time in the future, this was never really working and my LAN was never really protected. Or worse still, after I start making the script more complex, something unrelated goes wrong. The only help I've been able to find is a single site, where a guy showed his 1st effort at an IPFW2 script, intending to do the same thing I'm trying to do. I used his 1st script, as a starting place for my efforts. Beyond this, I haven't been able find any other instructive refs to IPFW2 on the web or in the FBSD mail list archives. TIA....Jet =============== From the desk of Jethro Wright, III ================ + Never attribute to malice that which is adequately explained by + + incompetence. + === jetman516@hotmail.com ===================== Hanlon's Razor ===