How to make ipfw consider MAC-IP match?
Artem Kuchin
matrix at itlegion.ru
Tue Feb 15 14:55:09 PST 2005
Scot Hetzel <swhetzel at gmail.com> wrote:
> On Mon, 14 Feb 2005 23:58:03 +0300, Artem Kuchin <matrix at itlegion.ru>
> wrote:
>> Hi!
>>
>> I have a table with ethernet (MAC) addresses matching IPs. It is
>> used to build dhcp config file. But regardless of that any user can
>> assign his neighbour ips while that pc is turned off and use it to
>> access internet. The local ips are 192.168. and are behind natd.
>> I am running 5.3-STABLE and have heard that ipfw2 can in someway
>> use MAC addresses, but how do I setup ipfw in such a way that
>> it allows certain IP only from one and only one MAC address?
>> I hope you are getting my idea.
>>
> You would add the following to the end of your IPFW rule for each IP
> Address you want to restrict.
>
> pass all from 192.168.0.10 to any mac any 10:20:30:40:50:60
>
> Where "10:20:30:40:50:60" is the MAC addr for IP addr 192.168.0.10.
I have tried static arp today and it seems like it works. As others mentions,
it is possible SOMETIMES to change mac address of a nic, so static arp
may fail as well as this firewall rule. So, i am wondering which method is
better static arp entries or ipfw rules?
Artem
More information about the freebsd-stable
mailing list