Hello Jon, Tuesday, July 5, 2005, 9:18:20 PM, you wrote:
> On 7/5/05, vladone <[EMAIL PROTECTED]> wrote: >> I want to permit only few MAC address to pass on my gateway. > MAC filtering is done at layer 2, so you need to allow ipfw access to > the layer 2 packets via > sysctl -w net.link.ether.ipfw=1 > And you may desire rules to only allow arp from certain machines, like: > allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in > recv fxp1 layer2 > And traffic, like: > allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2 > Because you're going to have packets traversing ipfw up to 4 times > (layer2 in, layer3 in, layer3 out, layer2 out) you might want to split > your firewall rules for efficiency, something like: > 50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip > traffic inbound fxp1 > 60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip > traffic inbound fxp0 > 70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether > traffic inbound fxp1 > 80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether > traffic inbound fxp0 > I've done similar things in the past. Hopefully this gives you some ideas. Thanks! Now it seems to be ok. But i dont know how work mac-type. I see different address passed as parameter like: mac-type 0x809b or mac-type 0x80f3 or mac -type 0x0023 .... -- Best regards, vladone mailto:[EMAIL PROTECTED] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
