ipfw + MAC nothing happens?
Christian Hiris
4711 at chello.at
Sat Jan 8 06:43:28 PST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 08 January 2005 14:20, heath, Chia Hui Chen wrote:
> Hello,
> I use FreeBSD 5.2.1 as NAT.
> I wanna limit the 443 port of a computer based on MAC address.
> So I use ipfw.
> # ipfw add 500 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx
> But nothing happens, can anybody tells me why?
Did you set 'sysctl net.link.ether.ipfw=1'? And you mix up layer-2 and layer-3
filtering in your rule (read paragraph "PACKET FLOW" in 'man ipfw'). I think
you need to do some magic with skipto rules to make this work:
ipfw add 500 skipto 1000 MAC any 00:e0:18:62:xx:xx
ipfw add 600 skipto 2000 MAC any any
# target of rule 500
ipfw add 1000 deny tcp from any to any 443
# target of rule 600
ipfw add 2000 ... [continue with your normal rules here]
It's only an idea how your problem could be solved, I never tested this.
Cheers,
ch
- --
Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x3BCA53BE
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFB3/GM09WjGjvKU74RAtdgAJwPDu/r9mHU3UvosOub+Ayj7OS07gCfbx1v
l0UKt60Joj+ctj2pZzmPxB4=
=0rg0
-----END PGP SIGNATURE-----
More information about the freebsd-ipfw
mailing list