Re: [6.x patchset] Ipfw nat and libalias modules

2007-09-08 Thread Chris Bowman (Home) 





On Wed, Sep 05, 2007 at 09:41:50PM -0500, Chris Bowman (Home) wrote:
 
   I was recently testing the in kernel nat patch, which is an 
absolutely  wonderful addition in my opinion.  I have however run 
into one issue, when for example I do the following :


ipfw nat 10 config ip 2.2.2.2


[snip]

Where did you get the 6.x patch? Did you find a tarball around or you 
backported the code from 7.x?


In the first case, that patch is old and buggy, and AFAIK the bug you 
encountered was due to an uninitialized conditional variable.


bye,
P.


  
  I'm having a bit of trouble backporting 7.x to 6.x, 6.2 Release 
specifically.   Before I continue down this road, in the name of not 
re-inventing the wheel twice, does anyone already have a current patch 
which will work on 6.2 ?  Thank You!


Chris Bowman


___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Allow only match both mac address and IP address

2007-09-05 Thread Chris Bowman (Home) 

Stephen GL wrote:

Hi,

I need help.
I am very new about IPFW. I'm in FreeBSD 6.0.
My job is pass anyone that has a valid both MAC and IP address.
Beginning of my rule I check the valid MAC address that can get through.
If pass, the next rule is check the IP address.
If pass, he/she can get through.

Everything is work as expected. My problem is the above rules doesn't check 
both MAC and IP address pairing. Assume someone spoof other MAC address, they 
can pass by changing the IP address of another.

Another question, if really someone has both valid MAC and IP address, but in 
fact he/she was a spoofer or man in the middle in the same subnet. How to 
accomplish this problem, I heard about static ARP table, but not interested to 
setup that kind of solution. I am thinking about nmap. Which can check against 
my database about valid Ethernet ID and Operating System being used. Anyone has 
done this kind of solution?

--
Stephen

   
-
Building a website is a piece of cake. 
Yahoo! Small Business gives you all the tools to get online.

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]

  


Make sure *net.link.ether.ipfw* is enabled, assuming it is since you 
said you had it partially working.  Then use the following rules as a 
guidline :


-- Outbound Rule --
allow ip from 172.16.100.50 to any MAC any 00:11:22:33:44:55

--Inbound Rule--
allow ip from any to 172.16.100.50  MAC 00:11:22:33:44:55 any

Of course it seems your main concern is allowing people out that are 
indeed authorized, so you could likely make the inbound rule alot more 
general, something along the lines of :


allow ip from any to 172.16.100.0/24 MAC any any


Hope that helps!

Chris Bowman






___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]