ipfw with nat - allowing by MAC address

Julian Elischer julian at elischer.org
Tue Apr 24 20:15:07 UTC 2007 

Julian Elischer wrote:
> Lubomir Georgiev wrote:
>> OK, so let's get started. Here's my ruleset -
>>
>> 00300   131732   19262748 skipto 1200 ip from any to any { MAC any
>> 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2
> 
> for a packet from a client through this machine to the internet:
> on the first pass (packet in ethernet receive) this skips to 1203,1205 
> where nothing happens
> because divert does not work on layer 2.
> 
> on the second pass (packet entering IP stack) it goes to 500 then 1203 
> where it doesn'r match  (not output for 1203 and not to "me" for 1205.
> on the third pass (packet leaving IP stack, it goes to 500 then 1203 
> where it diverts (is outgoing and from 192.x.x.x.), returning just in 
> time for 1205.
> on the 4th pass it (packet being transmitted on an ethernet) it goes to 
> 500 and thus 1400 because it now has different MAC
> 

What I meant to say is that keeping all this sort of thing in mind all the time
makes it hard to debug this, which is why in my example I alwyays send the different
passes to separate rules as quickly as possible.

>> 00500     4723    1941536 skipto 1400 ip from any to any layer2
>> 01203    68479    8449298 divert 8668 ip from 192.168.1.0/24 to any 
>> out via
>> fxp0
>> 01205    71215   16745674 divert 8668 ip from any to me in via fxp0
>> *01250   410160  534966441 queue 1 ip from any to any src-port 80 via 
>> fxp0
>> *01251   143290   14139299 queue 1 ip from any to any dst-port 80 via 
>> fxp0
>> *01300  2711668 1462734503 queue 2 ip from any to any not src-port 80 via
>> fxp0
>> 01400 12581325 6691776490 allow ip from any to any
>>
>> I've marked the dummynet rules with an asterisk. I'm using Patrick's 
>> ruleset
>> - since I'm only allowing internet access for a single machine I've 
>> combined
>> his first two rules into one. My internal network is 192.168.1.0/24 
>> and my
>> external iface is fxp0. What I'm experiencing right now as I'm using this
>> set is this - I have internet on this machine I desired /OK/ and on all
>> others with ip 192.168.1.X /not OK, obviously :)/ regardless of MAC. 
>> For me,
>> the rules that concern layer2 don't do what they're supposed to and 
>> thusly
>> the traffic reaches rule 1203 and 1205 and onward. Interestingly enough
>> traffic does hit the first and second rule. Here's my uname -
>>
>> FreeBSD bogoqho.com 6.1-RELEASE FreeBSD 6.1-RELEASE #1: Sun Apr  8 
>> 10:54:10
>> EEST
>> 2007     tldstyl3 at bogoqho.com:/usr/src/sys/i386/compile/bogoqho  i386
>>
>> And my sysctl -
>>
>> bogoqho# sysctl -a | egrep "one_pass\|ether"
>> bogoqho#
>>
>> which as you can see returns nothing using the command you instructed 
>> me to
>> use.
>>
>> If there's anything that would help you - just say the word... Let's
>> brainstorm :)
>>
> 
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list