rules to permit only few MAC address
Jon Simola
jsimola at gmail.com
Tue Jul 5 18:18:21 GMT 2005
On 7/5/05, vladone <vladone at llwb135.servidoresdns.net> wrote:
> I want to permit only few MAC address to pass on my gateway.
MAC filtering is done at layer 2, so you need to allow ipfw access to
the layer 2 packets via
sysctl -w net.link.ether.ipfw=1
And you may desire rules to only allow arp from certain machines, like:
allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in
recv fxp1 layer2
And traffic, like:
allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2
Because you're going to have packets traversing ipfw up to 4 times
(layer2 in, layer3 in, layer3 out, layer2 out) you might want to split
your firewall rules for efficiency, something like:
50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip
traffic inbound fxp1
60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip
traffic inbound fxp0
70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether
traffic inbound fxp1
80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether
traffic inbound fxp0
I've done similar things in the past. Hopefully this gives you some ideas.
--
Jon Simola
Systems Administrator
ABC Communications
More information about the freebsd-ipfw
mailing list