MAC locking and filtering in FreeBSD
Ian Smith
smithi at nimnet.asn.au
Thu May 14 06:53:31 UTC 2009
On Wed, 13 May 2009, Brett Glass wrote:
> I need to find a way to do "MAC address locking" in FreeBSD -- that is, to
> ensure that only a machine with a particular MAC address can use a particular
> IP address. Unfortunately, it appears that rules in FreeBSD's IPFW are
> "stuck" on one layer: rules that look at Layer 2 information in a packet
> can't look at Layer 3, and vice versa. Is there a way to work around this to
> do MAC address locking and/or other functions that involve looking at Layer 2
> and Layer 3 simultaneously?
You can use fixed leases with MAC specified in dhcp for that, with or
without specifying a range of addresses available to boxes with unknown
MACs. An org I'm working for uses just that method to good effect.
You can also specify a different (eg) router address for non-fixed
leases, towards your 'captive portal' requirement for new boxes.
Re ipfw(8), I'm not clear on what your problem is: the section PACKET
FLOW shows clearly how to distinguish layer 2 from layer 3 traffic.
Your 'vice versa' here isn't correct; you can select by layer 3 criteria
on packets from ether_demux, though of course once (or if) they get to
re-enter the firewall at layer 3 (from ip_input) you can't see/test MAC
addresses anymore. 'simultaneously' isn't really the case then; clearly
the layer 2 pass occurs first on input, and last on output.
cheers, Ian
More information about the freebsd-net
mailing list