Date: Tue, 05 Jul 2005 19:55:54 +0200 From: Robert Klein <RoKlein@roklein.de> To: vladone <vladone@llwb135.servidoresdns.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: rules to permit only few MAC address Message-ID: <42CAC9AA.9040708@roklein.de> In-Reply-To: <1904693964.20050705145004@llwb135.servidoresdns.net> References: <1904693964.20050705145004@llwb135.servidoresdns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
vladone schrieb: >I want to permit only few MAC address to pass on my gateway. >I put in my script this line: >ipfw -q -f flush >cmd="/sbin/ipfw -q" >oif="rl0" >pif="fxp1" > >$cmd add 110 skipto 5000 MAC any 00:0e:a6:81:40:3e in via $pif >$cmd add 120 skipto 5000 MAC any 00:50:8b:6b:0c:b2 in via $pif >.............................................................. >$cmd add 500 deny log MAC any any in via $pif > >$cmd add 5000 divert natd all from any to any via $oif > >but not work (block legitimate traffic). How i can do this job? > > mmm, if I'm right, network trafffic pases through IPFW2 twice, first on layer 2 and later on layer 3, so you have to allow traffic on layer three... ok, the interface was an fxp a long time ago, so I still use $FXP, though the interface is an em, now.....:P Here's a part of my code: #!/bin/sh IPFW=/sbin/ipfw ALL="add allow MAC any " FXP="in via em0" $IPFW -q flush $IPFW -q pipe flush # allow everything not on layer 2 $IPFW add allow all from any to any not layer2 # localhost traffic $IPFW add allow layer2 via lo0 # outbound interface $IPFW add allow layer2 via tun0 # out via em0; $IPFW add allow layer2 out via em0 # in via em0; hostile internal network $IPFW $ALL xx:xx:xx:xx:xx:xx $FXP $IPFW $ALL yy:yy:yy:yy:yy:yy $FXP .... $IPFW add deny log logamount 0 MAC any any $FXP0 regards, Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42CAC9AA.9040708>