Re: rules to permit only few MAC address

Tue, 05 Jul 2005 15:21:07 -0700

Excuse very I am interested in learning like allowing and to deny MAC in my network and that I have LAN and WLAN with that I solve the subject of the accesses nonallowed. What they have been writing does not remove to me from the doubt to be able for control of access by MAC, they podrian to me to explain a little but of the subject since to continuation of that I must it does firewall. In an answer of Robert Klein it appears that contol by MAC this dice from layer 2 and layer 3 in the other mail does not appear. The example serves but profit not to understand to me like doing firewall with those data. 
I am thankful to him from already to all.
Excuse my ingles is of translator.



vladone wrote:

Hello Jon,

Tuesday, July 5, 2005, 9:18:20 PM, you wrote:



On 7/5/05, vladone <[EMAIL PROTECTED]> wrote:




I want to permit only few MAC address to pass on my gateway.




MAC filtering is done at layer 2, so you need to allow ipfw access to
the layer 2 packets via
sysctl -w net.link.ether.ipfw=1




And you may desire rules to only allow arp from certain machines, like:
allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in
recv fxp1 layer2




And traffic, like:
allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2





Because you're going to have packets traversing ipfw up to 4 times
(layer2 in, layer3 in, layer3 out, layer2 out) you might want to split
your firewall rules for efficiency, something like:




50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip
traffic inbound fxp1
60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip
traffic inbound fxp0
70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether
traffic inbound fxp1
80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether
traffic inbound fxp0




I've done similar things in the past. Hopefully this gives you some ideas.



  Thanks! Now it seems to be ok. But i dont know how work mac-type. I
  see different address passed as parameter like: mac-type 0x809b or mac-type 
0x80f3 or mac
-type 0x0023 ....
___________________________________________________________ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar 
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to