ipfw with nat - allowing by MAC address
Julian Elischer
julian at elischer.org
Tue Apr 24 20:00:13 UTC 2007
Lubomir Georgiev wrote:
> OK, so let's get started. Here's my ruleset -
>
> 00300 131732 19262748 skipto 1200 ip from any to any { MAC any
> 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2
for a packet from a client through this machine to the internet:
on the first pass (packet in ethernet receive) this skips to 1203,1205 where nothing happens
because divert does not work on layer 2.
on the second pass (packet entering IP stack) it goes to 500 then 1203 where it
doesn'r match (not output for 1203 and not to "me" for 1205.
on the third pass (packet leaving IP stack, it goes to 500 then 1203 where
it diverts (is outgoing and from 192.x.x.x.), returning just in time for 1205.
on the 4th pass it (packet being transmitted on an ethernet) it goes to 500 and
thus 1400 because it now has different MAC
> 00500 4723 1941536 skipto 1400 ip from any to any layer2
> 01203 68479 8449298 divert 8668 ip from 192.168.1.0/24 to any out via
> fxp0
> 01205 71215 16745674 divert 8668 ip from any to me in via fxp0
> *01250 410160 534966441 queue 1 ip from any to any src-port 80 via fxp0
> *01251 143290 14139299 queue 1 ip from any to any dst-port 80 via fxp0
> *01300 2711668 1462734503 queue 2 ip from any to any not src-port 80 via
> fxp0
> 01400 12581325 6691776490 allow ip from any to any
>
> I've marked the dummynet rules with an asterisk. I'm using Patrick's
> ruleset
> - since I'm only allowing internet access for a single machine I've
> combined
> his first two rules into one. My internal network is 192.168.1.0/24 and my
> external iface is fxp0. What I'm experiencing right now as I'm using this
> set is this - I have internet on this machine I desired /OK/ and on all
> others with ip 192.168.1.X /not OK, obviously :)/ regardless of MAC. For
> me,
> the rules that concern layer2 don't do what they're supposed to and thusly
> the traffic reaches rule 1203 and 1205 and onward. Interestingly enough
> traffic does hit the first and second rule. Here's my uname -
>
> FreeBSD bogoqho.com 6.1-RELEASE FreeBSD 6.1-RELEASE #1: Sun Apr 8 10:54:10
> EEST
> 2007 tldstyl3 at bogoqho.com:/usr/src/sys/i386/compile/bogoqho i386
>
> And my sysctl -
>
> bogoqho# sysctl -a | egrep "one_pass\|ether"
> bogoqho#
>
> which as you can see returns nothing using the command you instructed me to
> use.
>
> If there's anything that would help you - just say the word... Let's
> brainstorm :)
>
More information about the freebsd-ipfw
mailing list