ipfw with nat - allowing by MAC address
Patrick Tracanelli
eksffa at freebsdbrasil.com.br
Tue Apr 24 18:27:55 UTC 2007
Lubomir Georgiev escreveu:
> OK, so let's get started. Here's my ruleset -
>
> 00300 131732 19262748 skipto 1200 ip from any to any { MAC any
> 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2
Good. I have never used it this way and I am not sure if it will work.
First, try to use two rules, one per flow.
ipfw add 300 skipto 1200 ip from any to any MAC 00:19:d2:36:b8:48 any layer2
ipfw add 301 skipto 1200 ip from any to any MAC any 00:19:d2:36:b8:48 layer2
Later, you try to put both flows all in a single rule. I am not sure if
both flows aren't checked together and the rule will match once, since
layer2 MAC filter happens as it happens on the wire.
> 00500 4723 1941536 skipto 1400 ip from any to any layer2
> 01203 68479 8449298 divert 8668 ip from 192.168.1.0/24 to any out via
> fxp0
> 01205 71215 16745674 divert 8668 ip from any to me in via fxp0
> *01250 410160 534966441 queue 1 ip from any to any src-port 80 via fxp0
> *01251 143290 14139299 queue 1 ip from any to any dst-port 80 via fxp0
> *01300 2711668 1462734503 queue 2 ip from any to any not src-port 80 via
> fxp0
> 01400 12581325 6691776490 allow ip from any to any
Seems almost ok here; please, add "not layer2" to dummynet rules, if not
you will have your bw controlled twice.
> I've marked the dummynet rules with an asterisk. I'm using Patrick's
> ruleset
> - since I'm only allowing internet access for a single machine I've
> combined
> his first two rules into one. My internal network is 192.168.1.0/24 and my
> external iface is fxp0. What I'm experiencing right now as I'm using this
> set is this - I have internet on this machine I desired /OK/ and on all
> others with ip 192.168.1.X /not OK, obviously :)/ regardless of MAC. For
> me,
> the rules that concern layer2 don't do what they're supposed to and thusly
> the traffic reaches rule 1203 and 1205 and onward. Interestingly enough
> traffic does hit the first and second rule. Here's my uname -
>
> FreeBSD bogoqho.com 6.1-RELEASE FreeBSD 6.1-RELEASE #1: Sun Apr 8 10:54:10
> EEST
> 2007 tldstyl3 at bogoqho.com:/usr/src/sys/i386/compile/bogoqho i386
>
> And my sysctl -
>
> bogoqho# sysctl -a | egrep "one_pass\|ether"
> If there's anything that would help you - just say the word... Let's
> brainstorm :)
>
sysctl -a | egrep "one_pass|ether"; my fault, \| is only need for grep,
not egrep.
Just to be sure net.link.ether.ipfw=1 and net.inet.ip.fw.one_pass=1.
--
Patrick Tracanelli
FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
316601 at sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
More information about the freebsd-ipfw
mailing list