Yeah! People, we can congratulate ourselves! We've done it! With a few modifications I've finally found the smallest working MAC filtered NAT system. So here's what I ended up with - I'm including the queues just for the entirety of the ruleset, they have nothing to do with the filtering.
00100 allow ip from any to me not dst-port 8668 via xl0 00101 allow ip from me not 8668 to any via xl0 00300 allow ip from any to any { MAC 00:19:d2:36:b8:48 any or MAC any 00:19:d2:36:b8:48 } layer2 00800 deny log logamount 200 ip from any to any MAC any any layer2 via xl0 01203 divert 8668 ip from 192.168.1.0/24 to any out via fxp0 01205 divert 8668 ip from any to me in via fxp0 01250 queue 1 ip from any to any src-port 80 not layer2 via fxp0 01251 queue 1 ip from any to any dst-port 80 not layer2 via fxp0 01300 queue 2 ip from any to any not src-port 80 not layer2 via fxp0 01500 allow ip from any to any 65535 deny ip from any to any Just one note - when I first reached this conclusion I had two very strange *blackouts*. As if the 100 and the 101 rule just suddenly stop working and I'm left out of the box e.g. I can't ssh in although the diverting still works - I can ping hosts on the Internet. It seems to be fine now and once I gain some knowledge I'm probably going to expand this ruleset, but for now I've accomplished my goal! I have all of you to thank for that! Even though it wasn't easy /mostly because of my ignorance I'm sure/ you pulled me through. Respect. One last request - if someone happens to have some free time and wishes to donate it to me I'd really like to better understand the whole *layer* thing. I have searched the Internet for answers on this as well as read the ipfw man page, but I can't really understand it. \/ Peace. -- mEsS wItH tHe bEsT dIE liKe tHe rESt _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"