question on NAT + IPFW

Ian Smith smithi at
Fri Jun 12 08:08:15 UTC 2015

On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote:

 > > looks correct, assuming xl0 is your internal interface (better put it in
 > > a variable and use the variable in your rules imho)
 > Forgot one thing, working around this block is as easy as changing the
 > machine IP, teenager can learn this easily and it can be done in a lot
 > of ways, even if they are not root(or equivalent) on their machine, they
 > can just boot from a CD with some live OS. You could have a better block
 > by also checking the MAC address, like this:
 > $cmd 021 deny log MAC any 00:aa:00:00:00:00:01 via xl0
 > (not tested)
 > MAC addresses can be modified too but it's somewhat more difficult.

While that's all true, blocking at layer 2 requires extra work that may 
be beyond what's needed here, to have ipfw deal with layer 2 traffic.

sysctl must be set for ipfw to see layer 2 packets 
at all, and then you'd need to follow ipfw(8) section PACKET FLOW to 
separate the layer 2 and 3 traffic in order to look at MAC addresses on 
the appropriate one of the extra two passes through ipfw this entails.

Maybe best not telling the teenagers exactly how you're blocking them, 
which at least gives you a headstart in the race :)

cheers, Ian

More information about the freebsd-net mailing list