Hi, If you don't want the "hostile users" know that you are shaping their packets in the way to Internet, you might want to make use of the Bridge facilities in OpenBSD.
There you can tag the packets merely based on their MAC, and then in higher layers have "pf" deal with those packets as you wish! Regards, Amir -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Benfell Sent: Monday, January 23, 2006 06:09 To: misc@openbsd.org Subject: pf by mac address? Hello all, Perhaps I'm looking for this the wrong way. My local network now (and hopefully temporarily) includes hostile users. I may need to exercise controls on their Internet usage by machine. Now, I can certainly tell dhcpd to give certain machines certain IP addresses by reference to their MAC address. But that won't stop these users from allocating their own IP address and essentially bypassing dhcpd. The environment includes a lot of wireless -- most users connect this way. So I'm thinking I'd like to be able to write packet filter rules based on MAC address. I'm not necessarily going to want to simply cut off all their Internet access, but pf offers a lot of options to do what I think I might want to do, if I can make rules by MAC address. Traffic shaping and additional rules about what ports they can access come to mind. Possibly other possibilities will come to your mind -- hopefully you see what I'm thinking. Is it possible? -- David Benfell, LCP [EMAIL PROTECTED] --- Resume available at http://www.parts-unknown.org/
