[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security at mac address level

On Fri, 28 Mar 2003, Doros Eracledes wrote:
> Is there a way to make sure that only requests
> from specific mac address can access my
> pf protected database server?
> May be if it's not possible using pf, i could use a level 1 switch?
pf(4) filters at layer 2 (IP) and 3 (TCP, UDP, ...). If you want to filter
at ehternet level, you should use a bridge(4). brconfig(8) has a similar
syntax as pf. Read the manual:
   rule [rulespec]
         Add a filtering rule to an interface.  Rules have a similar syn-
         tax to pf(4). Rules can be used to selectively block or pass
         frames based on Ethernet MAC address.  Rules are processed in the
         order in which they were added to the interface, and the first
         rule matched takes the action (block or pass) of the rule. If no
         source or destination address is specified, the rule will match
         all frames (good for creating a catchall policy).
   rulefile filename
         Load a set of rules from the file filename.
   # brconfig bridge0 rule pass in on fxp0 src 0:1:2:3:4:5 dst 5:4:3:2:1:0
   # brconfig bridge0 rule pass out on fxp0 src 5:4:3:2:1:0 dst 0:1:2:3:4:5
   # brconfig bridge0 rule block in on fxp0
   # brconfig bridge0 rule block out on fxp0
          The above commands will set up a filter so that 0:1:2:3:4:5 can
          send frames through fxp0 only to 5:4:3:2:1, and 5:4:3:2:1:0 can
          return frames through fxp0 to 0:1:2:3:4:5.  All other traffic
          trying to go into and be sent from fxp0 will be blocked.