Date: Mon, 6 Aug 2012 02:24:46 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: h bagade <bagadeh@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: problem with mac option on ipfw rule Message-ID: <20120806021230.I93465@sola.nimnet.asn.au> In-Reply-To: <CAARSjE140_Z-7KLXQ2nx7fOGgYJqhQW4Dp=dhn32DCodMvbM6Q@mail.gmail.com> References: <CAARSjE140_Z-7KLXQ2nx7fOGgYJqhQW4Dp=dhn32DCodMvbM6Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 5 Aug 2012 13:40:21 +0430, h bagade wrote:
> Hi all,
>
> I have problem with setting mac option on ipfw rule. I want to drop all
> traffic but the traffic with source mac for example 11:22:33:44:55:66. I
> thought it would be possible using the not option to do the work and I have
> a set of rules like this:
>
> ipfw -q add 500 set 6 skipto 501 from any to any { not mac any
> 11:22:33:44:55:66}
> ipfw -q add 501 set 6 drop altq test all from any to any
> ipfw -q add 500 set 6 allow all from any to any
>
> I expect it to drop traffic that src mac is not 11:22:33:44:55:66, but it
> doesn't work! I've checked it for traffic with and without
> src-mac: 11:22:33:44:55:66 and all dropped!
>
> Could anyone tell me what's wrong with my understanding?
Read section 'PACKET FLOW' in ipfw(8) carefully. Apart from the need to
separate out layer 3 packets before testing layer 2 headers against MAC
addresses, it specifically warns about what 'not' means in that context.
Also check net.link.ether.ipfw in the SYSCTL VARIABLES section; without
that set you won't see so can't test layer 2 packets at all.
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120806021230.I93465>