From owner-freebsd-questions@FreeBSD.ORG Mon Jan 29 17:39:45 2007 Return-Path: X-Original-To: questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6378C16A404 for ; Mon, 29 Jan 2007 17:39:45 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: from mail.h3q.com (mail.h3q.com [217.13.206.148]) by mx1.freebsd.org (Postfix) with ESMTP id 60F3913C48E for ; Mon, 29 Jan 2007 17:39:44 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: (qmail 26027 invoked from network); 29 Jan 2007 17:13:02 -0000 Received: from unknown (HELO ?192.168.23.150?) (cryx@85.179.7.61) by mail.h3q.com with AES256-SHA encrypted SMTP; 29 Jan 2007 17:13:02 -0000 Message-ID: <45BE2B1C.8010302@h3q.com> Date: Mon, 29 Jan 2007 18:13:00 +0100 From: Philipp Wuensche User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Frank Staals References: <45BDF715.6010703@gmx.net> In-Reply-To: <45BDF715.6010703@gmx.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: questions@FreeBSD.org Subject: Re: PF and MAC-Filtering ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 17:39:45 -0000 Frank Staals wrote: > I'm trying to get my FreeBSD gateway with PF firewall to only allow > acces to my network and internet from a couple computers through MAC > filtering. I couldn't realy find out what rules I should use; From the > information I found on google I tried something like this but it seems > that PF doesn't see the entrie(s) in my mac-table as a mac adres: ( only > pasted the related rules ) : > > block log > > ### Only allow WLAN connections from trusted Systems:: > table persist file "/usr/local/etc/pf/wlanmacs" > pass in on $wlanif from src to any keep state > pass out on $wlanif from any to src keep state > > with in /usr/local/etc/pf/wlanmacs one Mac adres on each line; example: > > 00:0b:7b:23:33:25 > > As I said it doesn't seem that PF gets that it should treat the entries > in the table as mac-adresses. How can I do that ? Or is there a better > way to achieve the same result ? Just filter by ip-addr. on your gateway, it gives you the same level of security as filtering by mac-addr. and configure your basestation to only accept clients with mac-addr. you have allowed. If you need some kind of authentication, take a look at authpf. greetings, philipp