Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 05 Jul 2005 19:55:54 +0200
From:      Robert Klein <>
To:        vladone <>
Subject:   Re: rules to permit only few MAC address
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
vladone schrieb:

>I want to permit only few MAC address to pass on my gateway.
>I put in my script this line:
>ipfw -q -f flush
>cmd="/sbin/ipfw -q"
>$cmd add 110 skipto 5000 MAC any 00:0e:a6:81:40:3e in via $pif
>$cmd add 120 skipto 5000 MAC any 00:50:8b:6b:0c:b2 in via $pif
>$cmd add 500 deny log MAC any any in via $pif
>$cmd add 5000 divert natd all from any to any via $oif
>but not work (block legitimate traffic). How i can do this job?

mmm, if I'm right, network trafffic pases through IPFW2 twice, first on 
layer 2 and later on layer 3, so you have to allow traffic on layer three...
ok, the interface was an fxp a long time ago, so I still use $FXP, 
though the interface is an em, now.....:P

Here's a part of my code:


ALL="add allow MAC any  "
FXP="in via em0"
$IPFW -q flush
$IPFW -q pipe flush

# allow everything not on layer 2
 $IPFW add allow all from any to any not layer2

# localhost traffic
 $IPFW add allow layer2 via lo0

# outbound interface
 $IPFW add allow layer2 via tun0

# out via em0;
 $IPFW add allow layer2 out via em0

# in via em0; hostile internal network
 $IPFW $ALL xx:xx:xx:xx:xx:xx $FXP
 $IPFW $ALL yy:yy:yy:yy:yy:yy $FXP

$IPFW add deny log logamount 0 MAC any any $FXP0


Want to link to this message? Use this URL: <>