ipfw with nat - allowing by MAC address

[Lubomir Georgiev]

  Yeah! People, we can congratulate ourselves! We've done it! With a few
modifications I've finally found the smallest working MAC filtered NAT
system. So here's what I ended up with - I'm including the queues just for
the entirety of the ruleset, they have nothing to do with the filtering.

00100 allow ip from any to me not dst-port 8668 via xl0
00101 allow ip from me not 8668 to any via xl0
00300 allow ip from any to any { MAC 00:19:d2:36:b8:48 any or MAC any
00:19:d2:36:b8:48 } layer2
00800 deny log logamount 200 ip from any to any MAC any any layer2 via xl0
01203 divert 8668 ip from 192.168.1.0/24 to any out via fxp0
01205 divert 8668 ip from any to me in via fxp0
01250 queue 1 ip from any to any src-port 80 not layer2 via fxp0
01251 queue 1 ip from any to any dst-port 80 not layer2 via fxp0
01300 queue 2 ip from any to any not src-port 80 not layer2 via fxp0
01500 allow ip from any to any
65535 deny ip from any to any


  Just one note - when I first reached this conclusion I had two very
strange *blackouts*. As if the 100 and the 101 rule just suddenly stop
working and I'm left out of the box e.g. I can't ssh in although the
diverting still works - I can ping hosts on the Internet. It seems to be
fine now and once I gain some knowledge I'm probably going to expand this
ruleset, but for now I've accomplished my goal!

  I have all of you to thank for that! Even though it wasn't easy /mostly
because of my ignorance I'm sure/ you pulled me through.


  Respect.




  One last request - if someone happens to have some free time and wishes to
donate it to me I'd really like to better understand the whole *layer*
thing. I have searched the Internet for answers on this as well as read the
ipfw man page, but I can't really understand it.

  \/  Peace.
-- 
mEsS wItH tHe bEsT
dIE liKe tHe rESt