question on NAT + IPFW
smithi at nimnet.asn.au
Fri Jun 12 08:08:15 UTC 2015
On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote:
> > looks correct, assuming xl0 is your internal interface (better put it in
> > a variable and use the variable in your rules imho)
> Forgot one thing, working around this block is as easy as changing the
> machine IP, teenager can learn this easily and it can be done in a lot
> of ways, even if they are not root(or equivalent) on their machine, they
> can just boot from a CD with some live OS. You could have a better block
> by also checking the MAC address, like this:
> $cmd 021 deny log MAC any 00:aa:00:00:00:00:01 via xl0
> (not tested)
> MAC addresses can be modified too but it's somewhat more difficult.
While that's all true, blocking at layer 2 requires extra work that may
be beyond what's needed here, to have ipfw deal with layer 2 traffic.
sysctl net.link.ether.ipfw=1 must be set for ipfw to see layer 2 packets
at all, and then you'd need to follow ipfw(8) section PACKET FLOW to
separate the layer 2 and 3 traffic in order to look at MAC addresses on
the appropriate one of the extra two passes through ipfw this entails.
Maybe best not telling the teenagers exactly how you're blocking them,
which at least gives you a headstart in the race :)
More information about the freebsd-net