question on NAT + IPFW
Guido Falsi
mad at madpilot.net
Fri Jun 12 08:24:11 UTC 2015
On 06/12/15 10:07, Ian Smith wrote:
> On Fri, 12 Jun 2015 08:59:40 +0200, Guido Falsi wrote:
>
> > > looks correct, assuming xl0 is your internal interface (better put it in
> > > a variable and use the variable in your rules imho)
> >
> > Forgot one thing, working around this block is as easy as changing the
> > machine IP, teenager can learn this easily and it can be done in a lot
> > of ways, even if they are not root(or equivalent) on their machine, they
> > can just boot from a CD with some live OS. You could have a better block
> > by also checking the MAC address, like this:
> >
> > $cmd 021 deny log MAC any 00:aa:00:00:00:00:01 via xl0
> >
> > (not tested)
> >
> > MAC addresses can be modified too but it's somewhat more difficult.
>
> While that's all true, blocking at layer 2 requires extra work that may
> be beyond what's needed here, to have ipfw deal with layer 2 traffic.
>
> sysctl net.link.ether.ipfw=1 must be set for ipfw to see layer 2 packets
> at all, and then you'd need to follow ipfw(8) section PACKET FLOW to
> separate the layer 2 and 3 traffic in order to look at MAC addresses on
> the appropriate one of the extra two passes through ipfw this entails.
>
Uhm, I forgot to check these details. Yes, layer 2 is a lot more work
anyway, I avoid it if possible.
I also did not read carefully the example given, my fault on that too :)
--
Guido Falsi <mad at madpilot.net>
More information about the freebsd-net
mailing list