dhcpd MAC filter

[Lowell Gilbert]

Don't top-post, please.
[<http://catb.org/~esr/jargon/html/T/top-post.html>]
[format re-arranged]

Wayne M Barnes <wayne at etaq.com> writes:

> On Fri, Aug 20, 2004 at 02:01:26PM -0400, Chuck Swiger wrote:
> > Wayne M Barnes wrote:
> > >    Is there a way to allow or disallow certain computers by their
> > >MAC number?
> > 
> > ipfw 2 supports firewalling by MAC address, so yes.
> > 
> > >    This ability comes with the software on my wireless access point,
> > >but I prefer that my FreeBSD system hand out the IP addresses,
> > >and I cannot find this MAC-filtering ability at man dhcpd.
> > >
> > >   isc-dhcp3-server-3.0.1.r14_2 is my installed port.
> > >Is there another dhpcd to try?
> > 
> > You can specify MAC addresses in your DHCP config to reserve specific IP 
> > addresses for specific machines.  I'm not sure whether there is a way to 
> > tell DHCP not to grant a lease to MAC addresses which are not found, but 
> > then, without using a firewall, someone could manually configure a foreign 
> > host to use the connection, regardless of whether they can get a DHCP lease.
> > 
> > -- 
> > -Chuck
> 


> Dear Chuck,
> 
>    Thanks for the tip about ipfw, but I can't seem to write
> an acceptable line for rc.firewall, even after reading man ipfw,
> which does not show a full example.
> 
>    For instance, the following confuses ipfw when I put it
> into rc.firewall:
> 
> #from man ipfw: MAC 10:20:30:40:50:60/33 any
> ipfw add drop all from MAC 00:02:2d:2e:04:28 to any
> 
>     It complains that MAC is an unknown machine.
> 
>     How should I spell a firewall rule invocation that will
> prevent a certain MAC serial number from getting through or to 
> my FreeBSD machine?
> 
>     Thank you for any further advice.

Sounds like you're running the original IPFW rather than IPFW2.  As
Chuck Swiger indicated, you need IPFW2 for the MAC keyword.  IPFW2 is
standard on FreeBSD 5.x, but not earlier.