[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: security at mac address level
On Fri, 28 Mar 2003, Doros Eracledes wrote:
> Is there a way to make sure that only requests
> from specific mac address can access my
> pf protected database server?
> May be if it's not possible using pf, i could use a level 1 switch?
pf(4) filters at layer 2 (IP) and 3 (TCP, UDP, ...). If you want to filter
at ehternet level, you should use a bridge(4). brconfig(8) has a similar
syntax as pf. Read the manual:
Add a filtering rule to an interface. Rules have a similar syn-
tax to pf(4). Rules can be used to selectively block or pass
frames based on Ethernet MAC address. Rules are processed in the
order in which they were added to the interface, and the first
rule matched takes the action (block or pass) of the rule. If no
source or destination address is specified, the rule will match
all frames (good for creating a catchall policy).
Load a set of rules from the file filename.
# brconfig bridge0 rule pass in on fxp0 src 0:1:2:3:4:5 dst 5:4:3:2:1:0
# brconfig bridge0 rule pass out on fxp0 src 5:4:3:2:1:0 dst 0:1:2:3:4:5
# brconfig bridge0 rule block in on fxp0
# brconfig bridge0 rule block out on fxp0
The above commands will set up a filter so that 0:1:2:3:4:5 can
send frames through fxp0 only to 5:4:3:2:1, and 5:4:3:2:1:0 can
return frames through fxp0 to 0:1:2:3:4:5. All other traffic
trying to go into and be sent from fxp0 will be blocked.