problem with mac option on ipfw rule
Ian Smith
smithi at nimnet.asn.au
Sun Aug 5 16:24:55 UTC 2012
On Sun, 5 Aug 2012 13:40:21 +0430, h bagade wrote:
> Hi all,
>
> I have problem with setting mac option on ipfw rule. I want to drop all
> traffic but the traffic with source mac for example 11:22:33:44:55:66. I
> thought it would be possible using the not option to do the work and I have
> a set of rules like this:
>
> ipfw -q add 500 set 6 skipto 501 from any to any { not mac any
> 11:22:33:44:55:66}
> ipfw -q add 501 set 6 drop altq test all from any to any
> ipfw -q add 500 set 6 allow all from any to any
>
> I expect it to drop traffic that src mac is not 11:22:33:44:55:66, but it
> doesn't work! I've checked it for traffic with and without
> src-mac: 11:22:33:44:55:66 and all dropped!
>
> Could anyone tell me what's wrong with my understanding?
Read section 'PACKET FLOW' in ipfw(8) carefully. Apart from the need to
separate out layer 3 packets before testing layer 2 headers against MAC
addresses, it specifically warns about what 'not' means in that context.
Also check net.link.ether.ipfw in the SYSCTL VARIABLES section; without
that set you won't see so can't test layer 2 packets at all.
cheers, Ian
More information about the freebsd-net
mailing list