[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-ipfw
Subject:    Re: mac question
From:       Dancho Penev <dpenev () mail ! bg>
Date:       2003-02-06 22:01:35
[Download RAW message or body]

On Tue, Feb 04, 2003 at 09:01:00PM +0100, Martin Larsson wrote:
>Subject: mac question
>From: Martin Larsson <sopppp@home.se>
>To: freebsd-ipfw@freebsd.org
>Date: 04 Feb 2003 21:01:00 +0100
>
>hi, dunno if this is the right place to ask but i was wonderring why the

freebsd-questions list is more suitable for this kind of questions.

>following lines dont work
>
>${fwcmd} add 200 allow ip from any to any MAC ${oddmac} ${lanmac} in via
>rl0
>${fwcmd} add 205 allow ip from any to any MAC ${lanmac} ${oddmac} in via
>rl0
>${fwcmd} add 210 deny ip from any to any MAC any any in via rl0
>
>the two computers are in lan and $lanmac are the servers mac addres and
>$oddmac a client.
>
>the last line doesnt seem to block anything.

Did you enable ipfw on layer2 ?
# sysctl net.link.ether.ipfw=1

And somethink else: with these rules you will have problems when server
or client tries to find mac address of peer with arp request. I'll suggest
you these rules:

allow all from any to any mac any ${lanmac} layer2 out xmit rl0
allow all from any to any mac any ${oddmac} layer2 in recv rl0
deny all from any to any layer2 via rl0

Note that these rules are for your server, for client you must swap
"out xmit" and "in recv".

>
>Best regards Martin
>
>
>
>
>-- 
>Martin Larsson <sopppp@home.se>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-ipfw" in the body of the message

-- 
Regards,
Dancho Penev

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
[prev in list] [next in list] [prev in thread] [next in thread]