2002-11-09 19:10:22 +01:00
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<title>MAC Verification</title>
|
|
|
|
<meta http-equiv="content-type"
|
|
|
|
content="text/html; charset=ISO-8859-1">
|
|
|
|
<meta name="author" content="Tom Eastep">
|
|
|
|
</head>
|
2003-11-17 22:06:32 +01:00
|
|
|
<body>
|
|
|
|
<br>
|
|
|
|
<h1 style="text-align: center;">MAC Verification<br>
|
|
|
|
</h1>
|
|
|
|
All traffic from an interface or from a subnet on an interface can be
|
|
|
|
verified to originate from a defined set of MAC addresses. Furthermore,
|
|
|
|
each MAC address may be optionally associated with one or more IP
|
|
|
|
addresses. <br>
|
|
|
|
<br>
|
|
|
|
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
|
|
|
|
module name ipt_mac.o).</b><br>
|
|
|
|
<br>
|
|
|
|
There are four components to this facility.<br>
|
2002-11-09 19:10:22 +01:00
|
|
|
<ol>
|
2003-11-17 22:06:32 +01:00
|
|
|
<li>The <b>maclist</b> interface option in <a
|
|
|
|
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
|
|
|
When
|
|
|
|
this option is specified, all traffic arriving on the interface is
|
|
|
|
subjet
|
2002-12-28 16:38:03 +01:00
|
|
|
to MAC verification.</li>
|
2003-11-17 22:06:32 +01:00
|
|
|
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
|
|
|
|
When this option is specified for a subnet, all traffic from that
|
|
|
|
subnet is subject to
|
|
|
|
MAC verification.</li>
|
|
|
|
<li>The /etc/shorewall/maclist file. This file is used to associate
|
|
|
|
MAC addresses with interfaces and to optionally associate IP addresses
|
|
|
|
with MAC addresses.</li>
|
|
|
|
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
|
|
|
|
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
|
|
|
|
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
|
|
|
|
and determines the disposition of connection requests that fail MAC
|
|
|
|
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
|
|
|
|
which connection requests that fail verification are to be logged. If
|
|
|
|
set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
|
|
|
|
connection requests are not logged.<br>
|
|
|
|
</li>
|
2002-11-09 19:10:22 +01:00
|
|
|
</ol>
|
2003-11-17 22:06:32 +01:00
|
|
|
The columns in /etc/shorewall/maclist are:<br>
|
2002-11-09 19:10:22 +01:00
|
|
|
<ul>
|
2003-11-17 22:06:32 +01:00
|
|
|
<li>INTERFACE - The name of an ethernet interface on the Shorewall
|
|
|
|
system.</li>
|
|
|
|
<li>MAC - The MAC address of a device on the ethernet segment
|
|
|
|
connected by INTERFACE. It is not necessary to use the Shorewall MAC
|
|
|
|
format in this column although you may use that format if you so choose.</li>
|
|
|
|
<li>IP Address - An optional comma-separated list of IP addresses for
|
|
|
|
the device whose MAC is listed in the MAC column.</li>
|
2002-11-09 19:10:22 +01:00
|
|
|
</ul>
|
2003-11-17 22:06:32 +01:00
|
|
|
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
|
|
|
|
for details about my setup):</h3>
|
|
|
|
<b>/etc/shorewall/shorewall.conf:<br>
|
|
|
|
</b>
|
2002-11-09 19:10:22 +01:00
|
|
|
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
|
2003-11-17 22:06:32 +01:00
|
|
|
<b>/etc/shorewall/interfaces:</b><br>
|
|
|
|
<blockquote>
|
2003-07-22 00:06:18 +02:00
|
|
|
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
|
2003-11-17 22:06:32 +01:00
|
|
|
</blockquote>
|
|
|
|
<b>/etc/shorewall/maclist:</b><br>
|
|
|
|
<blockquote>
|
2003-07-22 00:06:18 +02:00
|
|
|
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
|
2003-11-17 22:06:32 +01:00
|
|
|
</blockquote>
|
|
|
|
As shown above, I use MAC Verification on my wireless zone.<br>
|
|
|
|
<br>
|
|
|
|
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
|
|
|
|
like a wireless router with DHCP relay. When forwarding DHCP traffic,
|
|
|
|
it uses the
|
|
|
|
MAC address of the host (TIPPER) but for other forwarded traffic it
|
|
|
|
uses it's
|
|
|
|
own MAC address. Consequently, I list the IP addresses of both devices
|
|
|
|
in
|
2003-07-22 00:06:18 +02:00
|
|
|
/etc/shorewall/maclist.<br>
|
|
|
|
<h3>Example 2: Router in Wireless Zone</h3>
|
2003-11-17 22:06:32 +01:00
|
|
|
Suppose now that I add a second wireless segment to my wireless zone
|
|
|
|
and gateway that segment via a router with MAC address
|
|
|
|
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
|
|
|
|
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
|
|
|
|
following entry to my /etc/shorewall/maclist file:<br>
|
2003-06-23 22:24:51 +02:00
|
|
|
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
|
2003-11-17 22:06:32 +01:00
|
|
|
This entry accomodates traffic from the router itself (192.168.3.253)
|
|
|
|
and from the second wireless segment (192.168.4.0/24). Remember that
|
|
|
|
all traffic being sent to my firewall from the 192.168.4.0/24 segment
|
|
|
|
will be forwarded by the router so that traffic's MAC address will be
|
|
|
|
that of the router (00:06:43:45:C6:15) and not that of the host sending
|
|
|
|
the traffic.
|
|
|
|
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
|
|
|
|
</font></p>
|
|
|
|
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
|
|
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
|
|
|
</p>
|
|
|
|
<br>
|
|
|
|
<br>
|
|
|
|
<br>
|
|
|
|
<br>
|
|
|
|
<br>
|
|
|
|
<br>
|
2002-11-09 19:10:22 +01:00
|
|
|
</body>
|
|
|
|
</html>
|