rules to permit only few MAC address
vladone
vladone at llwb135.servidoresdns.net
Tue Jul 5 20:29:05 GMT 2005
Hello Jon,
Tuesday, July 5, 2005, 9:18:20 PM, you wrote:
> On 7/5/05, vladone <vladone at llwb135.servidoresdns.net> wrote:
>> I want to permit only few MAC address to pass on my gateway.
> MAC filtering is done at layer 2, so you need to allow ipfw access to
> the layer 2 packets via
> sysctl -w net.link.ether.ipfw=1
> And you may desire rules to only allow arp from certain machines, like:
> allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in
> recv fxp1 layer2
> And traffic, like:
> allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2
> Because you're going to have packets traversing ipfw up to 4 times
> (layer2 in, layer3 in, layer3 out, layer2 out) you might want to split
> your firewall rules for efficiency, something like:
> 50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip
> traffic inbound fxp1
> 60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip
> traffic inbound fxp0
> 70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether
> traffic inbound fxp1
> 80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether
> traffic inbound fxp0
> I've done similar things in the past. Hopefully this gives you some ideas.
Thanks! Now it seems to be ok. But i dont know how work mac-type. I
see different address passed as parameter like: mac-type 0x809b or mac-type 0x80f3 or mac
-type 0x0023 ....
--
Best regards,
vladone mailto:vladone at llwb135.servidoresdns.net
More information about the freebsd-ipfw
mailing list