From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 24 17:00:46 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52ED116A403 for ; Tue, 24 Apr 2007 17:00:46 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.231]) by mx1.freebsd.org (Postfix) with ESMTP id 05F3813C4AE for ; Tue, 24 Apr 2007 17:00:45 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so2201850wxc for ; Tue, 24 Apr 2007 10:00:45 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=Ti/pKLu4L3C8d0LKelEY+535DgwCJsw0fEx2lDnspRtnlS5UVkHkHBkgcz2DAaOjj5vVgKINuVdcmi3NFnFuKK62/84PQmRDWJOXJQE/JQs8vwggkPkuq4Kyz5qXbHw8oZDIJ8ODIHgb+mtnduUvttvMGYbyOmTbN7JH4CQL8d8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=L2Xo6qN/A7G0zAEGdZQiErbgoW6cgM93sdMByyuCVifTW8CKVq3TEVa7G+EkgrTFu3mgcOWsno8nImy7nomXevxSV0bcjZHKnImpefUh1CAXyZVz6hFPsCNClEt3BFbLI+pRb+3VD4Slh/Qeq7eK0JI6UCAl0X4gc37LLRy5qMU= Received: by 10.90.73.7 with SMTP id v7mr2633937aga.1177434044204; Tue, 24 Apr 2007 10:00:44 -0700 (PDT) Received: by 10.100.137.17 with HTTP; Tue, 24 Apr 2007 10:00:44 -0700 (PDT) Message-ID: <937e203f0704241000k1db56507jba1b0ac89cd3aece@mail.gmail.com> Date: Tue, 24 Apr 2007 20:00:44 +0300 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw with nat - allowing by MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 17:00:46 -0000 OK, so let's get started. Here's my ruleset - 00300 131732 19262748 skipto 1200 ip from any to any { MAC any 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2 00500 4723 1941536 skipto 1400 ip from any to any layer2 01203 68479 8449298 divert 8668 ip from 192.168.1.0/24 to any out via fxp0 01205 71215 16745674 divert 8668 ip from any to me in via fxp0 *01250 410160 534966441 queue 1 ip from any to any src-port 80 via fxp0 *01251 143290 14139299 queue 1 ip from any to any dst-port 80 via fxp0 *01300 2711668 1462734503 queue 2 ip from any to any not src-port 80 via fxp0 01400 12581325 6691776490 allow ip from any to any I've marked the dummynet rules with an asterisk. I'm using Patrick's ruleset - since I'm only allowing internet access for a single machine I've combined his first two rules into one. My internal network is 192.168.1.0/24 and my external iface is fxp0. What I'm experiencing right now as I'm using this set is this - I have internet on this machine I desired /OK/ and on all others with ip 192.168.1.X /not OK, obviously :)/ regardless of MAC. For me, the rules that concern layer2 don't do what they're supposed to and thusly the traffic reaches rule 1203 and 1205 and onward. Interestingly enough traffic does hit the first and second rule. Here's my uname - FreeBSD bogoqho.com 6.1-RELEASE FreeBSD 6.1-RELEASE #1: Sun Apr 8 10:54:10 EEST 2007 tldstyl3@bogoqho.com:/usr/src/sys/i386/compile/bogoqho i386 And my sysctl - bogoqho# sysctl -a | egrep "one_pass\|ether" bogoqho# which as you can see returns nothing using the command you instructed me to use. If there's anything that would help you - just say the word... Let's brainstorm :) -- mEsS wItH tHe bEsT dIE liKe tHe rESt