From owner-freebsd-ipfw@FreeBSD.ORG  Tue Jul  5 20:29:05 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2959716A41C
	for <freebsd-ipfw@freebsd.org>; Tue,  5 Jul 2005 20:29:05 +0000 (GMT)
	(envelope-from vladone@llwb135.servidoresdns.net)
Received: from llwb135.servidoresdns.net (llwb135.servidoresdns.net
	[217.76.137.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B940443D45
	for <freebsd-ipfw@freebsd.org>; Tue,  5 Jul 2005 20:29:04 +0000 (GMT)
	(envelope-from vladone@llwb135.servidoresdns.net)
Received: from SERVEREL (unknown [81.12.246.122])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by llwb135.servidoresdns.net (Postfix) with ESMTP id 2AB5424C85C
	for <freebsd-ipfw@freebsd.org>; Tue,  5 Jul 2005 22:20:41 +0200 (CEST)
Date: Tue, 5 Jul 2005 23:29:25 +0300
From: vladone <vladone@llwb135.servidoresdns.net>
X-Mailer: The Bat! (v3.0.1.33) Professional
X-Priority: 3 (Normal)
Message-ID: <598121599.20050705232925@llwb135.servidoresdns.net>
To: freebsd-ipfw@freebsd.org
In-Reply-To: <8eea04080507051118692d783c@mail.gmail.com>
References: <1904693964.20050705145004@llwb135.servidoresdns.net>
	<8eea04080507051118692d783c@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: rules to permit only few MAC address
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: vladone <vladone@llwb135.servidoresdns.net>
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2005 20:29:05 -0000

Hello Jon,

Tuesday, July 5, 2005, 9:18:20 PM, you wrote:

> On 7/5/05, vladone <vladone@llwb135.servidoresdns.net> wrote:

>> I want to permit only few MAC address to pass on my gateway.

> MAC filtering is done at layer 2, so you need to allow ipfw access to
> the layer 2 packets via
> sysctl -w net.link.ether.ipfw=1

> And you may desire rules to only allow arp from certain machines, like:
> allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in
> recv fxp1 layer2

> And traffic, like:
> allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2


> Because you're going to have packets traversing ipfw up to 4 times
> (layer2 in, layer3 in, layer3 out, layer2 out) you might want to split
> your firewall rules for efficiency, something like:

> 50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip
> traffic inbound fxp1
> 60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip
> traffic inbound fxp0
> 70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether
> traffic inbound fxp1
> 80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether
> traffic inbound fxp0

> I've done similar things in the past. Hopefully this gives you some ideas.

  Thanks! Now it seems to be ok. But i dont know how work mac-type. I
  see different address passed as parameter like: mac-type 0x809b or mac-type 0x80f3 or mac
-type 0x0023 ....


-- 
Best regards,
 vladone                            mailto:vladone@llwb135.servidoresdns.net