ipfw with nat - allowing by MAC address

Patrick Tracanelli eksffa at freebsdbrasil.com.br
Tue Apr 24 18:27:55 UTC 2007 

Lubomir Georgiev escreveu:
> OK, so let's get started. Here's my ruleset -
> 
> 00300   131732   19262748 skipto 1200 ip from any to any { MAC any
> 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2

Good. I have never used it this way and I am not sure if it will work. 
First, try to use two rules, one per flow.

ipfw add 300 skipto 1200 ip from any to any MAC 00:19:d2:36:b8:48 any layer2
ipfw add 301 skipto 1200 ip from any to any MAC any 00:19:d2:36:b8:48 layer2

Later, you try to put both flows all in a single rule. I am not sure if 
both flows aren't checked together and the rule will match once, since 
layer2 MAC filter happens as it happens on the wire.

> 00500     4723    1941536 skipto 1400 ip from any to any layer2
> 01203    68479    8449298 divert 8668 ip from 192.168.1.0/24 to any out via
> fxp0
> 01205    71215   16745674 divert 8668 ip from any to me in via fxp0
> *01250   410160  534966441 queue 1 ip from any to any src-port 80 via fxp0
> *01251   143290   14139299 queue 1 ip from any to any dst-port 80 via fxp0
> *01300  2711668 1462734503 queue 2 ip from any to any not src-port 80 via
> fxp0
> 01400 12581325 6691776490 allow ip from any to any

Seems almost ok here; please, add "not layer2" to dummynet rules, if not 
you will have your bw controlled twice.

> I've marked the dummynet rules with an asterisk. I'm using Patrick's 
> ruleset
> - since I'm only allowing internet access for a single machine I've 
> combined
> his first two rules into one. My internal network is 192.168.1.0/24 and my
> external iface is fxp0. What I'm experiencing right now as I'm using this
> set is this - I have internet on this machine I desired /OK/ and on all
> others with ip 192.168.1.X /not OK, obviously :)/ regardless of MAC. For 
> me,
> the rules that concern layer2 don't do what they're supposed to and thusly
> the traffic reaches rule 1203 and 1205 and onward. Interestingly enough
> traffic does hit the first and second rule. Here's my uname -
> 
> FreeBSD bogoqho.com 6.1-RELEASE FreeBSD 6.1-RELEASE #1: Sun Apr  8 10:54:10
> EEST
> 2007     tldstyl3 at bogoqho.com:/usr/src/sys/i386/compile/bogoqho  i386
> 
> And my sysctl -
> 
> bogoqho# sysctl -a | egrep "one_pass\|ether"
> If there's anything that would help you - just say the word... Let's
> brainstorm :)
> 

sysctl -a | egrep "one_pass|ether"; my fault, \| is only need for grep, 
not egrep.

Just to be sure net.link.ether.ipfw=1 and net.inet.ip.fw.one_pass=1.

-- 
Patrick Tracanelli

FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
316601 at sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"

More information about the freebsd-ipfw mailing list