how to allow by MAC

Brian W. brian at brianwhalen.net
Mon Jun 11 03:21:02 UTC 2012 

I would ask what problem do you want to solve here; is it preventing a
userjust from getting out unless they are using their assigned address, or
something else?
On Jun 10, 2012 8:16 PM, "Bill Yuan" <bycn82 at gmail.com> wrote:

> Hi Lan,
>
> Thanks for your reply, I am reading some old emails which you sent in 2008
> while other place asked a same question as mine,
>
>
> On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith <smithi at nimnet.asn.au> wrote:
>
> > In freebsd-questions Digest, Vol 418, Issue 18, Message: 1
> > On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan <bycn82 at gmail.com> wrote:
> >
> >  > how to allow by MAC in ipfw
> >  >
> >  > currently i set the rule like below
> >  >
> >  > 1  allow ip from any to any MAC any to <MAC Address 1>
> >  > 1  allow ip from any to any MAC <MAC Address 1> any
> >  > 2 deny all from any to any
> >  >
> >  > i want to only allow the mac address to go through the freebsd
> firewall,
> >  >
> >  > but I found it is not working on my freebsd but it works on pfsense!
> >  >
> >  > so maybe that means the environment is not the same ? and how to setup
> > the
> >  > ipfw properly to support this ?
> >
> > Bill, you did get some good clues in the earlier thread, but it's not
> > clear if you took note of them.  There's also been some confusion ..
> >
> > Firstly, read up on layer2 (ethernet, MAC-level) filtering options in
> > ipfw(8).  Thoroughly, several times, until you've got it.  Seriously.
> >
> > After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf)
> > ipfw will be invoked 4 times instead of the normal 2, on every packet.
> >
> > Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the
> > inbound pass invoked from ether_demux() and the outbound pass invoked
> > from ether_output_frame() can you test for MAC addresses (or mac-types);
> > the 'normal' layer3 passes examine packets that have no layer2 headers.
> >
> > You could just add 'layer2' to any rules filtering on MAC addresses, and
> > omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using
> > a method like shown there to separate layer2 and layer3 flows early on:
> >
> >           # packets from ether_demux
> >           ipfw add 10 skipto 1000 all from any to any layer2 in
> >           # packets from ip_input
> >           ipfw add 10 skipto 2000 all from any to any not layer2 in
> >           # packets from ip_output
> >           ipfw add 10 skipto 3000 all from any to any not layer2 out
> >           # packets from ether_output_frame
> >           ipfw add 10 skipto 4000 all from any to any layer2 out
> >
> > So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering
> > rules (remembering the reversed order of MAC addresses vs IP addresses,
> > and to allow broadcasts as well), pass good guys and/or block bad guys,
> > then deal with your normal IPv4|v6 traffic in a separate section(s).
> >
> > Or you could just split the flows into two streams, one for layer2 for
> > your MAC filtering, the other for layer3, ie the rest of your ruleset.
> >
> > HTH, Ian  [please cc me on any reply]
> >
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list