On Wed, 13 May 2009, Brett Glass wrote: > I need to find a way to do "MAC address locking" in FreeBSD -- that is, to > ensure that only a machine with a particular MAC address can use a particular > IP address. Unfortunately, it appears that rules in FreeBSD's IPFW are > "stuck" on one layer: rules that look at Layer 2 information in a packet > can't look at Layer 3, and vice versa. Is there a way to work around this to > do MAC address locking and/or other functions that involve looking at Layer 2 > and Layer 3 simultaneously?
You can use fixed leases with MAC specified in dhcp for that, with or without specifying a range of addresses available to boxes with unknown MACs. An org I'm working for uses just that method to good effect. You can also specify a different (eg) router address for non-fixed leases, towards your 'captive portal' requirement for new boxes. Re ipfw(8), I'm not clear on what your problem is: the section PACKET FLOW shows clearly how to distinguish layer 2 from layer 3 traffic. Your 'vice versa' here isn't correct; you can select by layer 3 criteria on packets from ether_demux, though of course once (or if) they get to re-enter the firewall at layer 3 (from ip_input) you can't see/test MAC addresses anymore. 'simultaneously' isn't really the case then; clearly the layer 2 pass occurs first on input, and last on output. cheers, Ian _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
