vladone schrieb:
I want to permit only few MAC address to pass on my gateway.
I put in my script this line:
ipfw -q -f flush
cmd="/sbin/ipfw -q"
oif="rl0"
pif="fxp1"
$cmd add 110 skipto 5000 MAC any 00:0e:a6:81:40:3e in via $pif
$cmd add 120 skipto 5000 MAC any 00:50:8b:6b:0c:b2 in via $pif
..............................................................
$cmd add 500 deny log MAC any any in via $pif
$cmd add 5000 divert natd all from any to any via $oif
but not work (block legitimate traffic). How i can do this job?
mmm, if I'm right, network trafffic pases through IPFW2 twice, first on
layer 2 and later on layer 3, so you have to allow traffic on layer three...
ok, the interface was an fxp a long time ago, so I still use $FXP,
though the interface is an em, now.....:P
Here's a part of my code:
#!/bin/sh
IPFW=/sbin/ipfw
ALL="add allow MAC any "
FXP="in via em0"
$IPFW -q flush
$IPFW -q pipe flush
# allow everything not on layer 2
$IPFW add allow all from any to any not layer2
# localhost traffic
$IPFW add allow layer2 via lo0
# outbound interface
$IPFW add allow layer2 via tun0
# out via em0;
$IPFW add allow layer2 out via em0
# in via em0; hostile internal network
$IPFW $ALL xx:xx:xx:xx:xx:xx $FXP
$IPFW $ALL yy:yy:yy:yy:yy:yy $FXP
....
$IPFW add deny log logamount 0 MAC any any $FXP0
regards,
Robert
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
