|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Changing MAC address to an alias interface?
Hello, mates!
I've being wondering how should I change the MAC address of an alias interface. This is the situation - [ Private Network ] --> [ FreeBSD Gateway ] --> [ Internet ] The FreeBSD gateway is NAT-ing the hosts from the private network, so they can get access to the internet. I have two NICs on the FreeBSD gateway - one for the private network and the other for the external interface. Here is my /etc/pf.conf file: Code:
# --- MACROS section --- ext_if = "sis0" int_if = "fxp0" # --- IPs given by the ISP --- ip_addr_1 = "x.x.x.87" ip_addr_2 = "x.x.x.88" # --- hosts from the private network --- host1 = "10.10.0.2" host2 = "10.10.0.3" host3 = "10.10.0.4" host4 = "10.10.0.5" host5 = "10.10.0.6" # --- *** local DC++ hubs which are not allowed *** --- # --- *** to be accessed by certain hosts *** --- dcpp_hub1 = "dc.xxx.net" dcpp_hub2 = "dc.xxx.com" dcpp_hub3 = "dc.xxx.org" # --- hosts which are not allowed to access local DC++ hubs --- DCPP_DENIED = "{" $host1 $host3 $host4 "}" DCPP_HUB_DENIED = "{" $dcpp_hub1 $dcpp_hub2 $dcpp_hub3 "}" # --- hosts with internet access --- ALLOWED = "{" $host1 $host2 $host3 $host4 $host5 "}" # --- hosts groups --- HOSTS_GROUP1 = "{" $host3 $host4 $host5 "}" HOSTS_GROUP2 = "{" $host1 $host2 "}" # --- port for incoming ftp connections --- FTP_PORT = "2121" # --- port for incoming torrent connections --- TORRENT_PORT = "25581" # --- port for incoming ssh connections --- SSH_PORT = "2222" # --- OPTIONS section --- set skip on lo0 # --- SCRUB section --- scrub in all # --- TRANSLATION (NAT/RDR) section --- nat on $ext_if from $HOSTS_GROUP1 to any -> $ip_addr_1 nat on $ext_if from $HOSTS_GROUP2 to any -> $ip_addr_2 # --- redirect torrent traffic --- rdr on $ext_if proto tcp from any to $ext_if port $TORRENT_PORT -> $host5 port $TORRENT_PORT # --- redirect ftp traffic to the internal ftp server --- rdr on $ext_if proto tcp from any to $ext_if port $FTP_PORT -> $host4 port $FTP_PORT rdr on $ext_if proto tcp from any to $ext_if port 50000:50999 -> $host4 port 50000:50999 # --- redirect http traffic to the internal web server --- rdr on $ext_if proto tcp from any to $ext_if port 80 -> $host4 port 80 # --- redirect incoming mail traffic --- rdr on $ext_if proto tcp from any to $ext_if port 25 -> $host4 port 25 # --- FILTER RULES --- # --- default policy --- block log all # --- antispoof protection --- antispoof quick for $ext_if inet antispoof quick for $int_if inet # --- INTERNAL interface --- # --- prevent local hosts to connect to dc++ hubs --- block in log quick on $int_if inet from $DCPP_DENIED to $DCPP_HUB_DENIED pass in quick on $int_if inet from $ALLOWED to any keep state pass out quick on $int_if inet from any to any keep state # --- EXTERNAL interface --- # --- pass incoming torrent traffic --- pass in quick on $ext_if inet proto tcp from any to $host5 port $TORRENT_PORT keep state # --- pass incoming ftp traffic --- pass in quick on $ext_if inet proto tcp from any to $host4 port $FTP_PORT keep state pass in quick on $ext_if inet proto tcp from any to $host4 port 50000:50999 keep state # --- pass incoming http traffic --- pass in quick on $ext_if inet proto tcp from any to $host4 port 80 keep state # --- pass incoming mail traffic --- pass in quick on $ext_if inet proto tcp from any to $host4 port 25 keep state # --- pass incoming ssh connections --- pass in quick on $ext_if inet proto tcp from any to $ext_if port $SSH_PORT flags S/SA keep state pass out quick on $ext_if inet from any to any keep state Code:
ifconfig_sis0="inet x.x.x.87 netmask 255.255.255.0" ifconfig_sis0_alias0="inet x.x.x.88 netmask 255.255.255.255" ifconfig_fxp0="inet 10.10.0.1 netmask 255.0.0.0" From what I have read from ifconfig(8): Code:
The link-level (``link'') address is specified as a series of colon-separated hex digits. This can be used to e.g. set a new MAC address on an ethernet interface, though the mechanism used is not ethernet-specific. If the interface is already up when this option is used, it will be briefly brought down and then brought back up again in order to ensure that the receive filter in the underlying ethernet hardware is properly reprogrammed. Code:
ifconfig_sis0_alias0="inet 78.90.73.88 netmask 255.255.255.255 link <some.other.mac.address>" So my question is how to change that MAC address of the alias interface? Thanks for any feedback!
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
|
|||
You cannot
What you are asking is something like: "My name is Peter Puk a.k.a. J65nko. I want a surgeon to operate on J65nko's vocal cords, to change it from tenor to bass. The vocal cords of Peter have to stay the same."
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I see, thanks for good analogy explanation
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org Last edited by DNAeon; 18th January 2009 at 06:51 PM. |
|
|||
You could do something like this:
Code:
nat on $EXT_IF from 192.168.1.0/24 to any -> x.x.x.88 nat on $EXT_IF from 10.0.0.0/24 to any -> x.x.x.89
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
You mean that I should split the hosts group intro different ip-ranges?
Thanks, DNAeon
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
|
|||
Because I was not in spoonfeed mode, I tried to convince you to read the BNF grammar at the end of the pf.conf man page.
Code:
nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] [ "static-port" ] ] hosts = "all" | "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | "{" host-list "}" | "route" string ) [ port ] [ os ] "to" ( "any" | "no-route" | "self" | host | "{" host-list "}" | "route" string ) [ port ] host-list = host [ [ "," ] host-list ] host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I got it, thanks!
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Web interface for rTorrent | Beastie | FreeBSD Ports and Packages | 0 | 24th August 2009 11:53 AM |
NAT with only one interface | zapov | General software and network | 4 | 16th February 2009 03:45 AM |
Mounting NAS as apache alias directory | Yuka | FreeBSD General | 7 | 18th July 2008 02:58 PM |
ip alias confusion | hamba | FreeBSD General | 2 | 5th June 2008 10:23 AM |
Web interface for pf? | windependence | OpenBSD Security | 4 | 20th May 2008 03:58 AM |