To control accessos by MAC address of ethernets
John Nielsen
lists at jnielsen.net
Mon Feb 14 20:46:46 PST 2005
On Monday 14 February 2005 09:34 am, vitadiazlistas wrote:
> Somebody can show to me like is that ipfw2 with the subject of the MAC
> works Thanks
If you have net.link.ether.ipfw enabled, routed/natted packets can
potentially hit the firewall up to four times, and each case ought to be
considered (see the PACKET FLOW section of the ipfw manpage). You want a
pair of "layer2" rules (which may or may not include any IP addresses) and
a pair of "not layer2" rules (which will include IP but not MAC addresses).
I have a working setup that only allows traffic through from assigned MAC/IP
pairs on the network. Here are the basics:
Add to /etc/sysctl.conf:
net.link.ether.ipfw=1
net.inet.ip.fw.one_pass=0 # (note that I don't remember exactly why this
# was necessary for my setup, but it might be relevant)
Firewall rules:
[flush, pipe flush, etc]
add allow layer2 not mac-type ip # You need this or you will break ARP,
# among other things
[pipe / queue definitions if using dummynet]
[natd, localhost, etc]
# user list:
add allow layer2 src-ip 10.0.0.5 mac any 00:11:22:33:44:55
add allow layer2 dst-ip 10.0.0.5 mac 00:11:22:33:44:55 any
add allow all from 10.0.0.5 to any not layer2
add allow all from any to 10.0.0.5 not layer2
# ... repeat the above four rules for each MAC/IP pair
Note that if you are using dummynet for IP traffic shaping then you probably
want to specify "not layer2" on any rule that adds packets to a pipe or
queue, or else packets might be inserted twice.
JN
More information about the freebsd-ipfw
mailing list