# ipfw: filtering layer2 and layer3



## mgp (Feb 17, 2011)

Hi,
I want to create a simple gateway with NAT and I want MAC address (layer2) based access control. I have this for layer3:


```
01000 nat 1 ip from any to any via em0
65000 allow ip from any to any
65535 deny ip from any to any
```

which works.

And when I set net.link.ether.ipfw to 1 this stops working because the layer2 packets don't match any of the above rules. While this is fine I can't actually come up with correct rules to allow only certain MAC addresses...

I tried this:


```
00100 skipto 64000 ip from any to any MAC any 10:20:30:40:50:60
00100 skipto 1000 ip from any to any not layer2
01000 nat 1 ip from any to any via em0
64000 allow ip from any to any layer2
65000 allow ip from any to any
65535 deny ip from any to any
```

but it doesn't work...

Can anyone give me hand please?

10x


----------



## mgp (Feb 18, 2011)

This is the solution:

```
00010 allow ip from any to any MAC any 10:20:30:40:50:60 in via $INT_IF
00020 deny ip from any to any layer2 in via $INT_IF
00100 allow ip from any to any layer2 via $EXT_IF
01000 nat 1 ip from any to any via $EXT_IF
65000 allow ip from any to any
65535 deny ip from any to any
```


----------

