Yeah! People, we can congratulate ourselves! We've done it! With a few
modifications I've finally found the smallest working MAC filtered NAT
system. So here's what I ended up with - I'm including the queues just for
the entirety of the ruleset, they have nothing to do with the filtering.
00100 allow ip from any to me not dst-port 8668 via xl0
00101 allow ip from me not 8668 to any via xl0
00300 allow ip from any to any { MAC 00:19:d2:36:b8:48 any or MAC any
00:19:d2:36:b8:48 } layer2
00800 deny log logamount 200 ip from any to any MAC any any layer2 via xl0
01203 divert 8668 ip from 192.168.1.0/24 to any out via fxp0
01205 divert 8668 ip from any to me in via fxp0
01250 queue 1 ip from any to any src-port 80 not layer2 via fxp0
01251 queue 1 ip from any to any dst-port 80 not layer2 via fxp0
01300 queue 2 ip from any to any not src-port 80 not layer2 via fxp0
01500 allow ip from any to any
65535 deny ip from any to any
Just one note - when I first reached this conclusion I had two very
strange *blackouts*. As if the 100 and the 101 rule just suddenly stop
working and I'm left out of the box e.g. I can't ssh in although the
diverting still works - I can ping hosts on the Internet. It seems to be
fine now and once I gain some knowledge I'm probably going to expand this
ruleset, but for now I've accomplished my goal!
I have all of you to thank for that! Even though it wasn't easy /mostly
because of my ignorance I'm sure/ you pulled me through.
Respect.
One last request - if someone happens to have some free time and wishes to
donate it to me I'd really like to better understand the whole *layer*
thing. I have searched the Internet for answers on this as well as read the
ipfw man page, but I can't really understand it.
\/ Peace.
--
mEsS wItH tHe bEsT
dIE liKe tHe rESt
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
