IPFW with MAC address configuration
smithi at nimnet.asn.au
Sun Aug 1 05:57:57 UTC 2010
In freebsd-questions Digest, Vol 321, Issue 12, Message: 31
On Fri, 30 Jul 2010 07:18:40 -0400 Carmel <carmel_ny at hotmail.com> wrote:
> I am trying to set up a rule using IPFW that utilizes a MAC address
> rather than an IP one.
> ipfw -q allow log tcp from MAC 00-14-A4-43-8E-BA to me 137 in via nfe0 setup keep-state
> Would that work, assuming the machine I want to allow access has that
> MAC address?
It's not quite that simple. If you need to examine MAC addresses or
anything else at layer 2 you first have to set net.link.ether.ipfw=1
"Controls whether layer-2 packets are passed to ipfw. Default is no."
Then you'll see all packets from ether_demux and ether_output_frame as
well as the usual layer 3 packets (ie after layer2 headers are removed)
from ip_input and ip_output. Read the PACKET FLOW section in ipfw(8)
for what you need to do to first separate layer2 and layer3 packets, as
testing for layer2 options like MAC obviously fails on layer3 packets.
Even after separating out the layer2 flows I'm not sure whether you can
use keep-state with such rules. And anyway, port 137 (netbios-ns) is a
UDP service, not TCP. Is this to do with Samba, or what?
Please cc me on any reply; I'm subscribed to questions as a -digest
which can take half a day, and the threading gets mangled.
More information about the freebsd-questions