Translate MAC address to IP address
Jon Simola
jon at abccom.bc.ca
Mon Dec 8 15:02:32 PST 2003
On Mon, 8 Dec 2003, The Jetman wrote:
> Mike: Am I mistaken or can MAC-oriented IPFW2 rules be used along side
> IP-oriented rules ? I ask bec I setup a very simple script that would filter
> all but a couple of MAC addrs then fwd incoming IPs to an internal web
> site. I *thought* I tried all of the reasonable combinations, but I TOO
> would like to know more about this. That is, I can filter certain MAC addrs
> *OR* I can filter/forward certain IPS, but I can't do both in the same IPFW
> script. Later....Jet
>From my current ruleset:
00007 deny ip from any to any MAC 00:40:05:2f:03:40 any not mac-type 0x0800
00007 deny ip from any to any MAC any 00:40:05:2f:03:40 not mac-type 0x0800 // MAC conflicting with 208.181.67.113
00011 allow ip from any to any layer2 not mac-type 0x0800 // allow ARP
00017 deny ip from any to any MAC 00:40:05:2f:03:40 any
00017 deny ip from any to any MAC any 00:40:05:2f:03:40 // MAC conflicting with 208.181.67.113
00023 deny icmp from 208.181.67.238 to any // mass pings
00030 deny ip from 208.181.165.59 to any // request for cancelled customer
00030 deny ip from any to 208.181.165.59
I've also in the past used rules specifying both the IP and MAC to disable
customers using the wrong IP, but the MAC address filtering just shuts
down their machine entirely.
Rule 7 denies ARP through the bridge for that mac address, and rule 17
denies all other traffic. I have both so that customers can't poison ARP
caches (7), and to make the block happen instantaenously (17).
---
Jon Simola <jon at abccom.bc.ca> | "In the near future - corporate networks
Systems Administrator | reach out to the stars, electrons and light
ABC Communications | flow throughout the universe." -- GITS
More information about the freebsd-ipfw
mailing list