ipfw2 with mac filtering
Christian Hiris
4711 at chello.at
Thu Feb 23 14:14:32 PST 2006
On Tuesday, 21. February 2006 15:12, Cesar wrote:
> Hi,
>
> I wanted to finish my firewall rules doing a "deny all from any to any",
> but I can't do that with mac filtering at same time. Let me explain.
>
> Since I use ipfw mac filter, I have the sysctl variable
> "net.link.ether.ipfw: 1";
>
> My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2.
>
> An example of my rules:
>
> 00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any
> 00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any
> 65535 0 0 allow ip from any to any
>
> This works fine, the rules 1 and 2 get some match when I do ping from
> Windows box to FreeBSD.
> After this test, I added the rule "65534 0 0 deny ip from any to any".
> It still works, but after some time if I have no traffic from 10.0.0.2,
> FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", I
> get :
>
> ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet]
Set up rules that allow arp broadcasts like:
ipfw add pass MAC any ff:ff:ff:ff:ff:ff
ipfw add pass MAC ff:ff:ff:ff:ff:ff any
Cheers
ch
--
Christian Hiris <4711 at chello.at> | OpenPGP KeyID 0x3BCA53BE
OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20060223/af11ee79/attachment.bin
More information about the freebsd-ipfw
mailing list