[Q-4.8-R] Can Anyone Help With Questions About MAC Filtering and IPFW2 ?

Lowell Gilbert freebsd-questions-local at be-well.no-ip.com
Mon Apr 21 08:35:57 PDT 2003

"The Jetman" <jetman516 at hotmail.com> writes:

It's somewhat difficult to read and make sense out of your message.  

>     I'm using 4.8-RELEASE to implement MAC-filtering bridge for my 
> wireless network.  Altho I am relatively new w/ FBSD (since Apr '02), 
> I've been getting the desired results writing my own rules for IPFW.  My 
> 1st attempt w/ IPFW2 was successful, but I can't figure out why !

> ${fwcmd} -f flush
> ####    permit all traffic from our wksta to anywhere via our internal iface
> (1)  ${fwcmd} add permit ${ipanyany} MAC any ${wksmac} in via ${iif}
> ${fwcmd} add permit ${ipanyany} MAC ${wksmac} any out via ${iif}
> ####    permit all traffic from/to the outside iface....
> ${fwcmd} add permit ${ipanyany} MAC ${oifmac} any in via ${oif}
> ${fwcmd} add permit ${ipanyany} MAC any ${oifmac} out via ${oif}
> ####    block anything else coming from/going to the internal iface....
> (2) ${fwcmd} add deny log ${ipanyany} MAC any any in via ${iif}
> (3) ${fwcmd} add allow ${ipanyany}
>     Only rules (1), (2), and (3) fire.  Rule (1) fires for obvious 
> reasons (bec it matches the pattern I've anticipated.)  Bec of how IP-based 
> IPFW1 rules work, I *thought* one would have to have matching inbound/outbound 
> rules.  What's most baffling is that while non-approved MAC addrs are blocked 
> as desired [at rule (2)], but legal traffic is permitted back thru the bridge 
> to its sender [via rule (3).]  WHY ????

I'm not clear to me how a bare IP address (without "to" or "from" or
option keyword) is supposed to be interpreted.  Does it matter if you
add those in?

More information about the freebsd-questions mailing list