On 1/13/06, Adriaan Misc <[EMAIL PROTECTED]> wrote:
> > I need to restrict some mac addresses or better allow set of
> > addresses and block others.
> See man brconfig. It even has examples ;)
Jumping in with a somewhat obscure/undocumented feature (at least,
I've never found anything referring to it in this manner), layer 2
filtering on an OpenBSD machine that is not a traditional bridge
(multiple interfaces) appears to be do-able with a single port bridge,
ala:
bash-3.00# brconfig bridge0
bridge0: flags=41<UP,RUNNING>
Configuration:
priority 32768 hellotime 2 fwddelay 15 maxage 20
Interfaces:
em0 flags=3<LEARNING,DISCOVER>
port 1 ifpriority 128 ifcost 55
block in on em0 src 00:30:48:74:60:0e
Addresses (max cache: 100, timeout: 240):
00:00:5e:00:01:06 em0 1 flags=0<>
00:00:5e:00:01:07 em0 1 flags=0<>
00:30:48:74:60:0e em0 1 flags=0<>
bash-3.00# arp -an |grep 00:30:48:74:60:0e
? (10.188.3.4) at 00:30:48:74:60:0e on em0
bash-3.00# ping -c2 10.188.3.4
PING 10.188.3.4 (10.188.3.4): 56 data bytes
--- 10.188.3.4 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
bash-3.00# brconfig bridge0 flushrule em0
bash-3.00# ping -c2 10.188.3.4
PING 10.188.3.4 (10.188.3.4): 56 data bytes
64 bytes from 10.188.3.4: icmp_seq=0 ttl=255 time=0.255 ms
64 bytes from 10.188.3.4: icmp_seq=1 ttl=255 time=0.208 ms
--- 10.188.3.4 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.208/0.231/0.255/0.027 ms
bash-3.00#
Works here, not intended for small children and the elderly, no
implied usability, etc...
--
Jon Simola
Systems Administrator
ABC Communications
