On Sep 9, 2006, at 4:07 AM, Ethy H. Brito wrote:
> On Fri, 8 Sep 2006 18:20:15 -0700
> Vadim Kurland =E2=9C=88 <vadim@...> wrote:
>> On Sep 8, 2006, at 5:08 PM, Ethy H. Brito wrote:
>>> How address this with FWB??
>> fwbuilder can not build exactly this rule, i.e. there is no object
>> that would provide a combination of a network and MAC address.
>> Can packets from the network A.B.C/24 hit your firewall without going
>> through the wireless gateway first ? Is there a reason you need to
>> match both IP and MAC address ? Could you just match on IP ? I assume
>> there are other addresses behind the same wirreless gateway, because
>> if the net A.B.C/24 is the only block behind it, you could also match
>> only MAC address.
> Here is what is happening: Next tuesday I'=C4=BAl be participating in =
> exposition. Since I need Internet for myself I installed it there. The
> organizers asked me to distribuite this to other participants over
> wireless. Each bay will have a wireless client. Since I will sell =20
> accesses I can not let some wise guys to buy a small band, change =20
> their IP
> addr and use the band bought by others. That is why I need network/mac
> matching, just like the proxyarp times. I know this is a loose =20
> scheme but
> better this than nothing.
> That said the ansewrs to all your questions is no, I think.
> I will write the rules to satisfy FWB and change them manually. Too =20=
> bad. :-)
you could use branching rule in 2.1.x. That is, you build a rule to =20
match on a source MAC address with an action 'Branch'. In the branch =20
you then match on IP address. You can have multiple rules in the =20
branch if you want to take different actions based on the source IP =20
or protocol. This will achieve what you want.