From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 19 21:27:11 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 81D8216A401 for ; Thu, 19 Apr 2007 21:27:11 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.247]) by mx1.freebsd.org (Postfix) with ESMTP id 4425413C4D1 for ; Thu, 19 Apr 2007 21:27:11 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so689852ana for ; Thu, 19 Apr 2007 14:27:10 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=b7ojG2hB6BlGC8BH19hWNcNe91Y/FrtVFlDPokdO0utxv7gMNNQ8dKyYr3DnMYNi6LUD/I9ZopaK9NZnvT6QTClrdFrj8rMS72p2rIZ0RyHHtLKR/AvSmV7yU+nIc/d4Eqa16QgyWH6HnFnqirKd7S8iHLajbMvslIkinArFvH4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=uod14cWXtQlGloxYm/LmVd6Sx/9FaRSBGMxzh1BHSrCjKf3X2PgENrtStmEy96kc1UjURYEnjOY3rSBW6nRW5rHC+iei5UxCkXiSVEefgAvY+R3KyrY2NKS+jrQhad7UF0SUMUmMc8wY9rRjemPAfaueO67NtazuTOInp/CfGjE= Received: by 10.100.37.4 with SMTP id k4mr1225365ank.1177016415721; Thu, 19 Apr 2007 14:00:15 -0700 (PDT) Received: by 10.100.137.17 with HTTP; Thu, 19 Apr 2007 14:00:15 -0700 (PDT) Message-ID: <937e203f0704191400i10ae5751ka41c17e40e4eff99@mail.gmail.com> Date: Fri, 20 Apr 2007 00:00:15 +0300 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw with nat - allowing by MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Apr 2007 21:27:11 -0000 Hi all, I've lost 2 nights sleep over this and I still can't get through it! - Here's the thing : I have a FreeBSD box with ipfw and natd running. My internal ifaces are internal - xl0 /3com/ - ip 192.168.1.254 external - fxp0 - 10.11.0.33 ipfw l 00200 skipto 1200 ip from 192.168.1.100 to not me via fxp0 #00400 skipto 1200 ip from 192.168.1.0/24 to not me layer2 out #00600 skipto 1200 ip from any to any MAC any 00:19:d2:36:b8:48 layer2 in 00800 skipto 1200 ip from { not 10.11.0.0/24 or not 192.168.0.0/24 } to me 01000 skipto 1400 ip from any to any 01200 divert 8668 ip from any to any via fxp0 $01250 queue 1 ip from any to any src-port 80 via fxp0 $01251 queue 1 ip from any to any dst-port 80 via fxp0 $01300 queue 2 ip from any to any not src-port 80 via fxp0 01400 allow ip from any to any 65535 deny ip from any to any And now for some explaining - the lines with # in from are my futile tries to accomplish my goal and the ones with the $ concern dummynet, which isn't the issue here. Here's what I want to do. I want to filter the computers who will get nated by MAC address and allow the as well as others /who won't get nated/ to reach localhost. I don't use dhcp. I have read numerous articles and have tried many different strategies but non of the seem to work. In other words i want to allow MAC addresses of machines which will have internet and the others will just be able to access localhost in order for me to get in with ssh if needed. I hope i was able to explain what i want to do and of course ANY help would be GREATLY appreciated. 10x in advance... -- mEsS wItH tHe bEsT dIE liKe tHe rESt