Hi Brian, Thanks for your care, Execute me for my English is not that good , I am from Singapore :)
I want to create a white list MAC address, Only the machine which it's MAC in the white list will be allowed, all others will be blocked. Thanks On Mon, Jun 11, 2012 at 11:21 AM, Brian W. <br...@brianwhalen.net> wrote: > I would ask what problem do you want to solve here; is it preventing a > userjust from getting out unless they are using their assigned address, or > something else? > On Jun 10, 2012 8:16 PM, "Bill Yuan" <byc...@gmail.com> wrote: > >> Hi Lan, >> >> Thanks for your reply, I am reading some old emails which you sent in 2008 >> while other place asked a same question as mine, >> >> >> On Mon, Jun 11, 2012 at 1:53 AM, Ian Smith <smi...@nimnet.asn.au> wrote: >> >> > In freebsd-questions Digest, Vol 418, Issue 18, Message: 1 >> > On Sun, 10 Jun 2012 17:43:39 +0800 Bill Yuan <byc...@gmail.com> wrote: >> > >> > > how to allow by MAC in ipfw >> > > >> > > currently i set the rule like below >> > > >> > > 1 allow ip from any to any MAC any to <MAC Address 1> >> > > 1 allow ip from any to any MAC <MAC Address 1> any >> > > 2 deny all from any to any >> > > >> > > i want to only allow the mac address to go through the freebsd >> firewall, >> > > >> > > but I found it is not working on my freebsd but it works on pfsense! >> > > >> > > so maybe that means the environment is not the same ? and how to >> setup >> > the >> > > ipfw properly to support this ? >> > >> > Bill, you did get some good clues in the earlier thread, but it's not >> > clear if you took note of them. There's also been some confusion .. >> > >> > Firstly, read up on layer2 (ethernet, MAC-level) filtering options in >> > ipfw(8). Thoroughly, several times, until you've got it. Seriously. >> > >> > After enabling sysctl net.link.ether.ipfw=1 (add it to /etc/sysctl.conf) >> > ipfw will be invoked 4 times instead of the normal 2, on every packet. >> > >> > Read carefully ipfw(8) section 'PACKET FLOW', and see that only on the >> > inbound pass invoked from ether_demux() and the outbound pass invoked >> > from ether_output_frame() can you test for MAC addresses (or mac-types); >> > the 'normal' layer3 passes examine packets that have no layer2 headers. >> > >> > You could just add 'layer2' to any rules filtering on MAC addresses, and >> > omit MAC addresses from all layer 3 (IP) rules, but I'd recommend using >> > a method like shown there to separate layer2 and layer3 flows early on: >> > >> > # packets from ether_demux >> > ipfw add 10 skipto 1000 all from any to any layer2 in >> > # packets from ip_input >> > ipfw add 10 skipto 2000 all from any to any not layer2 in >> > # packets from ip_output >> > ipfw add 10 skipto 3000 all from any to any not layer2 out >> > # packets from ether_output_frame >> > ipfw add 10 skipto 4000 all from any to any layer2 out >> > >> > So at (eg) 1000 and 4000 place your incoming and outgoing MAC filtering >> > rules (remembering the reversed order of MAC addresses vs IP addresses, >> > and to allow broadcasts as well), pass good guys and/or block bad guys, >> > then deal with your normal IPv4|v6 traffic in a separate section(s). >> > >> > Or you could just split the flows into two streams, one for layer2 for >> > your MAC filtering, the other for layer3, ie the rest of your ruleset. >> > >> > HTH, Ian [please cc me on any reply] >> > >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscr...@freebsd.org" >> > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"