Skip site navigation (1)Skip section navigation (2) 
Date:      21 Apr 2003 11:35:54 -0400
From:      Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com>
To:        The Jetman <jetman3@netzero.net>
Cc:        FBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: [Q-4.8-R] Can Anyone Help With Questions About MAC Filtering and IPFW2 ?
Message-ID:  <44k7dnoobp.fsf@be-well.ilk.org>
In-Reply-To: <Sea2-DAV49GTuAyHsjC00000c83@hotmail.com>
References:  <Sea2-DAV49GTuAyHsjC00000c83@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
"The Jetman" <jetman516@hotmail.com> writes:

It's somewhat difficult to read and make sense out of your message.  

>     I'm using 4.8-RELEASE to implement MAC-filtering bridge for my 
> wireless network.  Altho I am relatively new w/ FBSD (since Apr '02), 
> I've been getting the desired results writing my own rules for IPFW.  My 
> 1st attempt w/ IPFW2 was successful, but I can't figure out why !

> ${fwcmd} -f flush
> ####    permit all traffic from our wksta to anywhere via our internal iface
> (1)  ${fwcmd} add permit ${ipanyany} MAC any ${wksmac} in via ${iif}
> ${fwcmd} add permit ${ipanyany} MAC ${wksmac} any out via ${iif}
> ####    permit all traffic from/to the outside iface....
> ${fwcmd} add permit ${ipanyany} MAC ${oifmac} any in via ${oif}
> ${fwcmd} add permit ${ipanyany} MAC any ${oifmac} out via ${oif}
> ####    block anything else coming from/going to the internal iface....
> (2) ${fwcmd} add deny log ${ipanyany} MAC any any in via ${iif}
> (3) ${fwcmd} add allow ${ipanyany}
>
>     Only rules (1), (2), and (3) fire.  Rule (1) fires for obvious 
> reasons (bec it matches the pattern I've anticipated.)  Bec of how IP-based 
> IPFW1 rules work, I *thought* one would have to have matching inbound/outbound 
> rules.  What's most baffling is that while non-approved MAC addrs are blocked 
> as desired [at rule (2)], but legal traffic is permitted back thru the bridge 
> to its sender [via rule (3).]  WHY ????

I'm not clear to me how a bare IP address (without "to" or "from" or
option keyword) is supposed to be interpreted.  Does it matter if you
add those in?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44k7dnoobp.fsf>