rules to permit only few MAC address
vita gmail
vitadiaz at gmail.com
Tue Jul 5 22:19:47 GMT 2005
Excuse very I am interested in learning like allowing and to deny MAC in
my network and that I have LAN and WLAN with that I solve the subject of
the accesses nonallowed.
What they have been writing does not remove to me from the doubt to be
able for control of access by MAC, they podrian to me to explain a
little but of the subject since to continuation of that I must it does
firewall.
In an answer of Robert Klein it appears that contol by MAC this dice
from layer 2 and layer 3 in the other mail does not appear.
The example serves but profit not to understand to me like doing
firewall with those data.
I am thankful to him from already to all.
Excuse my ingles is of translator.
vladone wrote:
> Hello Jon,
>
> Tuesday, July 5, 2005, 9:18:20 PM, you wrote:
>
>
>>On 7/5/05, vladone <vladone at llwb135.servidoresdns.net> wrote:
>
>
>>>I want to permit only few MAC address to pass on my gateway.
>
>
>>MAC filtering is done at layer 2, so you need to allow ipfw access to
>>the layer 2 packets via
>>sysctl -w net.link.ether.ipfw=1
>
>
>>And you may desire rules to only allow arp from certain machines, like:
>>allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in
>>recv fxp1 layer2
>
>
>>And traffic, like:
>>allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2
>
>
>
>>Because you're going to have packets traversing ipfw up to 4 times
>>(layer2 in, layer3 in, layer3 out, layer2 out) you might want to split
>>your firewall rules for efficiency, something like:
>
>
>>50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip
>>traffic inbound fxp1
>>60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip
>>traffic inbound fxp0
>>70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether
>>traffic inbound fxp1
>>80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether
>>traffic inbound fxp0
>
>
>>I've done similar things in the past. Hopefully this gives you some ideas.
>
>
> Thanks! Now it seems to be ok. But i dont know how work mac-type. I
> see different address passed as parameter like: mac-type 0x809b or mac-type 0x80f3 or mac
> -type 0x0023 ....
>
>
___________________________________________________________
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar
More information about the freebsd-ipfw
mailing list