ipfw: ALLOWing by mac address
Andrew P.
infofarmer at gmail.com
Wed Oct 5 07:10:51 PDT 2005
On 10/5/05, Foo Ji-Haw <jhfoo at nexlabs.com> wrote:
> Hello all,
>
> I'd like your feedback on a problem I have with allowing access through the ipfw firewall via mac addresses.
>
> Andrew has a good point on mac address spoofing. I agree with him on the security concern, but for the situation that I am setting up, that's ok. But I really need to open the firewall via mac address.
>
> Let me detail my setup:
> dc0 is the interface to the Internet
> vr0 is the interface to the managed network
>
> I tried to read up on ipfw rules on mac, and I got something like this:
> allow ip from any to any MAC any 00:90:d1:00:80:00/33
>
> It does not work of course, but ipfw accepted the command. Basically I need the client with the mac address to be able to go pass the firewall in totality.
>
> Can anyone enlighten me on the correct format? Thanks in advance.
Thanks for the credit :-)
see "man ipfw", particularly the PACKET FLOW section
Try this:
allow ip from any to any layer2 out MAC any 00:90:d1:00:80:00/33
allow ip from any to any layer2 in MAC 00:90:d1:00:80:00/33 any
allow ip from any to any layer2 via <trusted-if>
deny ip from any to any layer2
More information about the freebsd-questions
mailing list