To control accessos by MAC address of ethernets [freebsd-ipfw
Digest, Vol 99, Issue 2]
Yury Tarasievich
grog at grsu.by
Tue Feb 15 04:30:51 PST 2005
freebsd-ipfw-request at freebsd.org wrote:
> I have ipfw2 very well walking but I need to validate the accesses of the LAN by interval of the MAC of ethernets and I have not been able to make walk this.
>
> Somebody can show to me like is that ipfw2 with the subject of the MAC works Thanks
<...>
> My firewall
> ## rl0 NAT (LAN 1)
> ## ep1 conecction internet
>
> ipfw -f flush
>
> ipfw add divert natd all from any to any via ep1
>
> ipfw add allow all from any to 192.168.1.56 MAC any 00:0d:88:ba:b9:40 via rl0
> (no add paketes)
>
> ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/16 to not 192.168.0.0/16 80
>
> ipfw add pipe 78 tcp from any 80 to 192.168.0.0/16
>
> ipfw pipe 78 config mask src-ip 0x000000ff bw 80Kbit/s
Like it was already advised to you (but better structured, I hope :)
a) do ``sysctl net.link.ether.ipfw=1''
this enables ipfw to see layer2 packets at all
b) you may or may not want to do ``ipfw disable one_pass''
if done, this enables packet to travel through several "accepting" rules
like "pipe" or "queue" etc. After going to pipe packet gets reinjected.
c) explicitly qualify everything using ``MAC'' argument with ``layer2''
argument
d) allow passing of the ARP broadcasts, selecting them either with
advised directive or with ``dst-addr 0xffffffff''
I understand you aren't using bridging. Then this should suffice.
--regards
More information about the freebsd-ipfw
mailing list