ipfw2 in 5.2.1

Chris Martin outsidefactor at iinet.net.au
Tue Sep 7 09:40:22 PDT 2004


G'day.

> 
> hi - this is my first post to this list so go easy on me !

Welcome.

> I am trying to
> find info on using ipfw2 with freebsd 5.2.1 as I have read that it
> supports MAC address based firewalling. 

The ipfw manpage has this to say:

{ MAC | mac } dst-mac src-mac
             Match packets with a given dst-mac and src-mac addresses,
speci-
             fied as the any keyword (matching any MAC address), or six
groups
             of hex digits separated by colons, and optionally followed by a
             mask indicating the significant bits.  The mask may be
specified
             using either of the following methods:

             1.      A slash (/) followed by the number of significant bits.
                     For example, an address with 33 significant bits could
be
                     specified as:

                           MAC 10:20:30:40:50:60/33 any

             2.      An ampersand (&) followed by a bitmask specified as six
                     groups of hex digits separated by colons.  For example,
                     an address in which the last 16 bits are significant
                     could be specified as:

                           MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any

                     Note that the ampersand character has a special meaning
                     in many shells and should generally be escaped.

             Note that the order of MAC addresses (destination first, source
             second) is the same as on the wire, but the opposite of the one
             used for IP addresses.

e.g.:

00500    0      0 allow ip from any to any MAC 00:30:4f:27:0e:1a any via
ath1
00501    0      0 allow ip from any to any MAC any 00:30:4f:27:0e:1a via
ath1


> I cannot find a lot of info on google on compiling the kernal for ipfw2,
> and their is no man page for ipfw2 only ipfw.


If you compile ipfw on 5.x it is ipfw2.

In the ipfw manpage:

         NOTE: this manual page documents the newer version of ipfw
introduced
         in FreeBSD CURRENT in July 2002, also known as ipfw2.  ipfw2 is a
         superset of the old firewall, ipfw1.  The differences between the
two
         are listed in Section IPFW2 ENHANCEMENTS, which you are encouraged
to
         read to revise older rulesets and possibly write them more effi-
         ciently.  See Section USING IPFW2 IN FreeBSD-STABLE for
instructions
         on how to run ipfw2 on FreeBSD STABLE.


This is a good start:

http://www.au.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

This is an OK set of more advanced rules (though they assume you have static
addresses):

http://www.acme.com/firewall.html

Hope that helps!




More information about the freebsd-newbies mailing list