[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-ipfw
Subject: Re: Translate MAC address to IP address
From: Jon Simola <jon () abccom ! bc ! ca>
Date: 2003-12-08 23:02:43
[Download RAW message or body]
On Mon, 8 Dec 2003, The Jetman wrote:
> Mike: Am I mistaken or can MAC-oriented IPFW2 rules be used along side
> IP-oriented rules ? I ask bec I setup a very simple script that would filter
> all but a couple of MAC addrs then fwd incoming IPs to an internal web
> site. I *thought* I tried all of the reasonable combinations, but I TOO
> would like to know more about this. That is, I can filter certain MAC addrs
> *OR* I can filter/forward certain IPS, but I can't do both in the same IPFW
> script. Later....Jet
> From my current ruleset:
00007 deny ip from any to any MAC 00:40:05:2f:03:40 any not mac-type 0x0800
00007 deny ip from any to any MAC any 00:40:05:2f:03:40 not mac-type 0x0800 // MAC \
conflicting with 208.181.67.113 00011 allow ip from any to any layer2 not mac-type \
0x0800 // allow ARP 00017 deny ip from any to any MAC 00:40:05:2f:03:40 any
00017 deny ip from any to any MAC any 00:40:05:2f:03:40 // MAC conflicting with \
208.181.67.113 00023 deny icmp from 208.181.67.238 to any // mass pings
00030 deny ip from 208.181.165.59 to any // request for cancelled customer
00030 deny ip from any to 208.181.165.59
I've also in the past used rules specifying both the IP and MAC to disable
customers using the wrong IP, but the MAC address filtering just shuts
down their machine entirely.
Rule 7 denies ARP through the bridge for that mac address, and rule 17
denies all other traffic. I have both so that customers can't poison ARP
caches (7), and to make the block happen instantaenously (17).
---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
Systems Administrator | reach out to the stars, electrons and light
ABC Communications | flow throughout the universe." -- GITS
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic