Re[2]: ipfw with nat - allowing by MAC address

Test this: ipfw add 190 allow ip from any to any layer2 mac-type arp $cmd add 192 skipto 201 MAC any xx:xx:xx:xx:xx:xx in via $pif layer2 . $cmd add 200 deny MAC a

Re: ipfw with nat - allowing by MAC address

On Thursday 26 April 2007 19:54, Lubomir Georgiev wrote: > Yeah! People, we can congratulate ourselves! We've done it! With a few > modifications I've finally found the smallest working MAC filtered NAT > system. So here's what I ended up with - I'm including the queues just for > the entirety of

Re: ipfw with nat - allowing by MAC address

Lubomir Georgiev wrote: Yeah! People, we can congratulate ourselves! We've done it! With a few modifications I've finally found the smallest working MAC filtered NAT system. So here's what I ended up with - I'm including the queues just for the entirety of the ruleset, they have nothing to do wi

ipfw with nat - allowing by MAC address

Remember those *blackouts* I wrote about a few minutes ago... I guess they're not over yet - they just keep happening again and again. While everything's going fine - ssh is working, diverting's OK I hear the server's HDD twirking and pop goes my SSH. I can no longer ping it, but I can ping hosts

ipfw with nat - allowing by MAC address

Yeah! People, we can congratulate ourselves! We've done it! With a few modifications I've finally found the smallest working MAC filtered NAT system. So here's what I ended up with - I'm including the queues just for the entirety of the ruleset, they have nothing to do with the filtering. 00100

Re: ipfw with nat - allowing by MAC address

> So I guess shit never stops... As I said I'm currently trying to use the > deny rule which you initially supplied to drop the packets which don't get > skipped. Here's my current ruleset - Now it is a different ruleset, where you want to allow first. You have to have the flow picture in mind:

ipfw with nat - allowing by MAC address

The reason I haven't tried it is because I try to keep things as simple as possible. Your set contained *a lot* of rules which, if the ruleset I'm trying to use right now works, would be pointless. Don't take it personally - I'm very grateful for all your help. And again - if you have any ideas

Re: ipfw with nat - allowing by MAC address

I'm surprised you haven't tried the firewall set I sent you.. I practically wrote the whole thing for you. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED

ipfw with nat - allowing by MAC address

So I guess shit never stops... As I said I'm currently trying to use the deny rule which you initially supplied to drop the packets which don't get skipped. Here's my current ruleset - 00100 173035 29328940 allow ip from any to any via xl0 00300 292524 50232419 skipto 1200 ip from any to a

ipfw with nat - allowing by MAC address

OK - So I guess we might have a problem... bogoqho# uname -a FreeBSD bogoqho.com 6.1-RELEASE FreeBSD 6.1-RELEASE # I'm currently thinking about using the deny approach you initially recommended. I'll just add an allow rule via the internal iface which will still allow me to ssh in and if every

Re: ipfw with nat - allowing by MAC address

> Thanks for everyone's continuing attempts to help! > > OK so I tried putting in the ruleset which you provided - and I hit a > rock > very early in the run. IPFW returns that it doesn't understand the tag > option. > > ipfw add 501 skipto 1400 tag 1 log logamount 0 ip from any to any layer2

ipfw with nat - allowing by MAC address

Thanks for everyone's continuing attempts to help! OK so I tried putting in the ruleset which you provided - and I hit a rock very early in the run. IPFW returns that it doesn't understand the tag option. ipfw add 501 skipto 1400 tag 1 log logamount 0 ip from any to any layer2 via $ifi Doe

Re: ipfw with nat - allowing by MAC address

> [EMAIL PROTECTED] wrote: >> Ok, I got home (when I have some time) and tried exactly your rule set. >> The main deal why it worked on my example and not your approach is: >> >> - once packets get dropped (denied) on layer2, it will never reach upper >> layers >> >> Thus, NO OTHER action besides d

Re: ipfw with nat - allowing by MAC address

[EMAIL PROTECTED] wrote: Ok, I got home (when I have some time) and tried exactly your rule set. The main deal why it worked on my example and not your approach is: - once packets get dropped (denied) on layer2, it will never reach upper layers Thus, NO OTHER action besides deny will avoid the

Re: ipfw with nat - allowing by MAC address

Ok, I got home (when I have some time) and tried exactly your rule set. The main deal why it worked on my example and not your approach is: - once packets get dropped (denied) on layer2, it will never reach upper layers Thus, NO OTHER action besides deny will avoid the packet getting into ip_inp

Re: ipfw with nat - allowing by MAC address

Julian Elischer wrote: Lubomir Georgiev wrote: OK, so let's get started. Here's my ruleset - 00300 131732 19262748 skipto 1200 ip from any to any { MAC any 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2 for a packet from a client through this machine to the internet: on the first

Re: ipfw with nat - allowing by MAC address

Lubomir Georgiev wrote: OK, so let's get started. Here's my ruleset - 00300 131732 19262748 skipto 1200 ip from any to any { MAC any 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2 for a packet from a client through this machine to the internet: on the first pass (packet in etherne

ipfw with nat - allowing by MAC address

H1 again. So I did try dividing the first rule up into two. But the problem still remains - all the machines on the 192.168.1.X get diverted through natd regardless of their MAC address. I don't think that the problem lies with the rule that allows the traffic rather with the ones that denies /s

Re: ipfw with nat - allowing by MAC address

Lubomir Georgiev escreveu: OK, so let's get started. Here's my ruleset - 00300 131732 19262748 skipto 1200 ip from any to any { MAC any 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2 Good. I have never used it this way and I am not sure if it will work. First, try to use two rule

ipfw with nat - allowing by MAC address

OK, so let's get started. Here's my ruleset - 00300 131732 19262748 skipto 1200 ip from any to any { MAC any 00:19:d2:36:b8:48 or MAC 00:19:d2:36:b8:48 any } layer2 00500 47231941536 skipto 1400 ip from any to any layer2 01203684798449298 divert 8668 ip from 192.168.1.0/24 to

Re: ipfw with nat - allowing by MAC address

Lubomir Georgiev escreveu: Julian if you mean this Then I did received it but Patrick's setup seemed much easier and he claimed that it worked. This is why I decided to try his first. But now that I've re-examined it I

ipfw with nat - allowing by MAC address

Julian if you mean this Then I did received it but Patrick's setup seemed much easier and he claimed that it worked. This is why I decided to try his first. But now that I've re-examined it I see that it's not that much mor

Re: ipfw with nat - allowing by MAC address

ok so I just emailed how I would do this.. Did you not receive it? Lubomir Georgiev wrote: OK people - here's the deal. I have tried the setup as described by *Patrick Tracanelli at *click but the shitty thing still does

Re: ipfw with nat - allowing by MAC address

Patrick Tracanelli wrote: the trick is to remmeber that "check-state" just re-runs the rule that had the orginal keep-state, and that that rule can be almost anything, including a skipto. What if it is a FWD? true too.. though fwd will do nothing in Layer2 use skipto to simulate what you

ipfw with nat - allowing by MAC address

OK people - here's the deal. I have tried the setup as described by *Patrick Tracanelli at *click but the shitty thing still doesn't want to just let it be! Since I don't want to 00500 468 30071 deny log logamount 100 i

Re: ipfw with nat - allowing by MAC address

the trick is to remmeber that "check-state" just re-runs the rule that had the orginal keep-state, and that that rule can be almost anything, including a skipto. What if it is a FWD? -- Patrick Tracanelli ___ freebsd-ipfw@freebsd.org mailing list ht

Re: ipfw with nat - allowing by MAC address

Lubomir Georgiev wrote: I'd like to thank all the people who replied to the thread I started. Your help has been invaluable. The reason I didn't immediately respond to Jao is that I wanted to make sure I wasn't mistaking - I was sure that IPFW + NAT + MAC address filtering in a single box was

ipfw with nat - allowing by MAC address

I'd like to thank all the people who replied to the thread I started. Your help has been invaluable. The reason I didn't immediately respond to Jao is that I wanted to make sure I wasn't mistaking - I was sure that IPFW + NAT + MAC address filtering in a single box was possible because I had seen

Re: ipfw with nat - allowing by MAC address

AT Matik wrote: On Sunday 22 April 2007 06:13, Lubomir Georgiev wrote: As a side note - I had found "sysctl net.link.ether.ipfw=1" and it was enabled during my endless futile attempts. I believe that my problem lies in my rules but I can't figure out what's wrong with them So someone please

Re: ipfw with nat - allowing by MAC address

I could not understand Joao's statement, so I tend to disagree that there is no layer2 traffic flowing on a NAT box. Makes no sense to me. I am sure it is possible to do all 2 sub-layer layer 2 filtering (MAC and LLC). So I have just tried what you are willing to get working Lubomir, right no

Re: ipfw with nat - allowing by MAC address

On Sunday 22 April 2007 07:59, Lubomir Georgiev wrote: > Thanks for the response but I have to disagree with you - I have read the > responses time and time again with great attention, but to no avail. From > what you said I understand that in order to utilize MAC address filtering I > would need

ipfw with nat - allowing by MAC address

Thanks for the response but I have to disagree with you - I have read the responses time and time again with great attention, but to no avail. From what you said I understand that in order to utilize MAC address filtering I would need a managed switch or another box aside from the one that will b

Re: ipfw with nat - allowing by MAC address

On Sunday 22 April 2007 06:13, Lubomir Georgiev wrote: > As a side note - I had found "sysctl net.link.ether.ipfw=1" and it was > enabled during my endless futile attempts. > I believe that my problem lies in my rules but I can't figure out what's > wrong with them So someone please help. you

ipfw with nat - allowing by MAC address

As a side note - I had found "sysctl net.link.ether.ipfw=1" and it was enabled during my endless futile attempts. I believe that my problem lies in my rules but I can't figure out what's wrong with them So someone please help. -- mEsS wItH tHe bEsT dIE liKe tHe rESt

ipfw with nat - allowing by MAC address

-- Forwarded message -- From: Fratiman Vladut <[EMAIL PROTECTED]> Date: Apr 21, 2007 5:35 PM Subject: Re: ipfw with nat - allowing by MAC address To: [EMAIL PROTECTED] You need to enable layer 2 filtering if u want to block mac address, but is not very useful because can b

Re: ipfw with nat - allowing by MAC address

You need to enable layer 2 filtering if u want to block mac address, but is not very useful because can be easy spoofed. sysctl net.link.ether.ipfw=1 To make this change permanently edit /etc/sysctl.conf For more information about bridge read this: http://www.freebsd.org/doc/en_US.ISO8859-1/books

ipfw with nat - allowing by MAC address

you will not have so much luck with this until you are loading the bridge or if_bridge module, on a router this will not work João First, thanks for your response. Second, would you be kind enough to explain why I'd need this module and respectively - how to enable it. -- mEsS wItH tHe b

Fwd: ipfw with nat - allowing by MAC address

you will not have so much luck with this until you are loading the bridge or if_bridge module, on a router this will not work João First, thanks for your response. Second, would you be kind enough to explain why I'd need this module and respectively - how to enable it. -- mEsS wItH tHe b

Re: ipfw with nat - allowing by MAC address

On Thursday 19 April 2007 18:00, Lubomir Georgiev wrote: > Hi all, > > I've lost 2 nights sleep over this and I still can't get through it! - > Here's the thing : > > I have a FreeBSD box with ipfw and natd running. > My internal ifaces are > internal - xl0 /3com/ - ip 192.168.1.254 > external -

ipfw with nat - allowing by MAC address

Hi all, I've lost 2 nights sleep over this and I still can't get through it! - Here's the thing : I have a FreeBSD box with ipfw and natd running. My internal ifaces are internal - xl0 /3com/ - ip 192.168.1.254 external - fxp0 - 10.11.0.33 ipfw l 00200 skipto 1200 ip from 192.168.1.100 to not