From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 15 04:46:46 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD26516A4CE for ; Tue, 15 Feb 2005 04:46:46 +0000 (GMT) Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71B7143D39 for ; Tue, 15 Feb 2005 04:46:46 +0000 (GMT) (envelope-from lists@jnielsen.net) Received: from stealth.local (jn@c-24-2-72-123.client.comcast.net [24.2.72.123]) (authenticated bits=0) by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id j1F4kjXI074780; Mon, 14 Feb 2005 20:46:46 -0800 (PST) (envelope-from lists@jnielsen.net) From: John Nielsen To: freebsd-ipfw@freebsd.org Date: Mon, 14 Feb 2005 21:47:26 -0700 User-Agent: KMail/1.7.2 References: <022f01c512b3$102c45b0$0a0a1e0a@isca1> In-Reply-To: <022f01c512b3$102c45b0$0a0a1e0a@isca1> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200502142147.27072.lists@jnielsen.net> X-Virus-Scanned: ClamAV 0.80/627/Sun Dec 12 11:53:11 2004 clamav-milter version 0.80j on ns1.jnielsen.net X-Virus-Status: Clean cc: vitadiazlistas Subject: Re: To control accessos by MAC address of ethernets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 04:46:46 -0000 On Monday 14 February 2005 09:34 am, vitadiazlistas wrote: > Somebody can show to me like is that ipfw2 with the subject of the MAC > works Thanks If you have net.link.ether.ipfw enabled, routed/natted packets can potentially hit the firewall up to four times, and each case ought to be considered (see the PACKET FLOW section of the ipfw manpage). You want a pair of "layer2" rules (which may or may not include any IP addresses) and a pair of "not layer2" rules (which will include IP but not MAC addresses). I have a working setup that only allows traffic through from assigned MAC/IP pairs on the network. Here are the basics: Add to /etc/sysctl.conf: net.link.ether.ipfw=1 net.inet.ip.fw.one_pass=0 # (note that I don't remember exactly why this # was necessary for my setup, but it might be relevant) Firewall rules: [flush, pipe flush, etc] add allow layer2 not mac-type ip # You need this or you will break ARP, # among other things [pipe / queue definitions if using dummynet] [natd, localhost, etc] # user list: add allow layer2 src-ip 10.0.0.5 mac any 00:11:22:33:44:55 add allow layer2 dst-ip 10.0.0.5 mac 00:11:22:33:44:55 any add allow all from 10.0.0.5 to any not layer2 add allow all from any to 10.0.0.5 not layer2 # ... repeat the above four rules for each MAC/IP pair Note that if you are using dummynet for IP traffic shaping then you probably want to specify "not layer2" on any rule that adds packets to a pipe or queue, or else packets might be inserted twice. JN