Date: Sun, 1 Aug 2010 15:57:54 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Carmel <carmel_ny@hotmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW with MAC address configuration Message-ID: <20100801152841.L34284@sola.nimnet.asn.au> In-Reply-To: <20100730120026.D6D62106572B@hub.freebsd.org> References: <20100730120026.D6D62106572B@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 321, Issue 12, Message: 31 On Fri, 30 Jul 2010 07:18:40 -0400 Carmel <carmel_ny@hotmail.com> wrote: > I am trying to set up a rule using IPFW that utilizes a MAC address > rather than an IP one. > > ipfw -q allow log tcp from MAC 00-14-A4-43-8E-BA to me 137 in via nfe0 setup keep-state > > Would that work, assuming the machine I want to allow access has that > MAC address? It's not quite that simple. If you need to examine MAC addresses or anything else at layer 2 you first have to set net.link.ether.ipfw=1 "Controls whether layer-2 packets are passed to ipfw. Default is no." Then you'll see all packets from ether_demux and ether_output_frame as well as the usual layer 3 packets (ie after layer2 headers are removed) from ip_input and ip_output. Read the PACKET FLOW section in ipfw(8) for what you need to do to first separate layer2 and layer3 packets, as testing for layer2 options like MAC obviously fails on layer3 packets. Even after separating out the layer2 flows I'm not sure whether you can use keep-state with such rules. And anyway, port 137 (netbios-ns) is a UDP service, not TCP. Is this to do with Samba, or what? Please cc me on any reply; I'm subscribed to questions as a -digest which can take half a day, and the threading gets mangled. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100801152841.L34284>