<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article id="MAC_Validation">
  <!--$Id$-->

  <articleinfo>
    <title>MAC Verification</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2004-01-06</pubdate>

    <copyright>
      <year>2001-2004</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <para>All traffic from an interface or from a subnet on an interface can be
  verified to originate from a defined set of MAC addresses. Furthermore, each
  MAC address may be optionally associated with one or more IP addresses.</para>

  <important>
    <para><emphasis role="bold">MAC addresses are only visible within a
    ethernet segment so all MAC addresses used in verification must belong to
    devices physically connected to one of the LANs to which your firewall is
    connected.</emphasis></para>
  </important>

  <important>
    <para><emphasis role="bold">Your kernel must include MAC match support
    (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).</emphasis></para>
  </important>

  <section>
    <title>Components</title>

    <para>There are four components to this facility.</para>

    <orderedlist>
      <listitem>
        <para>The <emphasis role="bold">maclist</emphasis> interface option in
        <ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
        When this option is specified, all traffic arriving on the interface
        is subjet to MAC verification.</para>
      </listitem>

      <listitem>
        <para>The <emphasis role="bold">maclist</emphasis> option in <ulink
        url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink>. When this
        option is specified for a subnet, all traffic from that subnet is
        subject to MAC verification.</para>
      </listitem>

      <listitem>
        <para>The /etc/shorewall/maclist file. This file is used to associate
        MAC addresses with interfaces and to optionally associate IP addresses
        with MAC addresses.</para>
      </listitem>

      <listitem>
        <para>The <emphasis role="bold">MACLIST_DISPOSITION</emphasis> and
        <emphasis role="bold">MACLIST_LOG_LEVEL</emphasis> variables in <ulink
        url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
        The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
        and determines the disposition of connection requests that fail MAC
        verification. The MACLIST_LOG_LEVEL variable gives the syslogd level
        at which connection requests that fail verification are to be logged.
        If set the the empty value (e.g., MACLIST_LOG_LEVEL=&#34;&#34;) then
        failing connection requests are not logged.</para>
      </listitem>
    </orderedlist>
  </section>

  <section>
    <title>/etc/shorewall/maclist</title>

    <para>The columns in /etc/shorewall/maclist are:</para>

    <variablelist>
      <varlistentry>
        <term>INTERFACE</term>

        <listitem>
          <para>The name of an ethernet interface on the Shorewall system.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>MAC</term>

        <listitem>
          <para>The MAC address of a device on the ethernet segment connected
          by INTERFACE. It is not necessary to use the Shorewall MAC format in
          this column although you may use that format if you so choose.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>IP Address</term>

        <listitem>
          <para>An optional comma-separated list of IP addresses for the
          device whose MAC is listed in the MAC column.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>

  <section>
    <title>Examples</title>

    <example>
      <title>Here are my files (look <ulink url="myfiles.htm">here</ulink> for
      details about my setup)</title>

      <para>/etc/shorewall/shorewall.conf:</para>

      <programlisting>MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info</programlisting>

      <para>/etc/shorewall/interfaces:</para>

      <programlisting>#ZONE   INTERFACE        BROADCAST       OPTIONS
net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc     eth2            192.168.1.255   dhcp
dmz     eth1            192.168.2.255
WiFi    eth3            192.168.3.255   dhcp,maclist
-       texas           192.168.9.255</programlisting>

      <para>/etc/shorewall/maclist:</para>

      <programlisting>#INTERFACE              MAC                     IP ADDRESSES (Optional)
eth3                    00:A0:CC:A2:0C:A0       192.168.3.7                 #Work Laptop
eth3                    00:04:5a:fe:85:b9       192.168.3.250               #WAP11
eth3                    00:06:25:56:33:3c       192.168.3.225,192.168.3.8   #WET11
eth3                    00:0b:cd:C4:cc:97       192.168.3.8                 #TIPPER</programlisting>

      <para>As shown above, I use MAC Verification on my wireless zone.</para>

      <para><note><para>While marketed as a wireless bridge, the WET11 behaves
      like a wireless router with DHCP relay. When forwarding DHCP traffic, it
      uses the MAC address of the host (TIPPER) but for other forwarded
      traffic it uses it&#39;s own MAC address. Consequently, I list the IP
      addresses of both devices in /etc/shorewall/maclist.</para></note></para>
    </example>

    <example>
      <title>Router in Wireless Zone</title>

      <para>Suppose now that I add a second wireless segment to my wireless
      zone and gateway that segment via a router with MAC address
      00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
      segment have IP addresses in the subnet 192.168.4.0/24. I would add the
      following entry to my /etc/shorewall/maclist file:</para>

      <programlisting>eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24</programlisting>

      <para>This entry accomodates traffic from the router itself
      (192.168.3.253) and from the second wireless segment (192.168.4.0/24).
      Remember that all traffic being sent to my firewall from the
      192.168.4.0/24 segment will be forwarded by the router so that
      traffic&#39;s MAC address will be that of the router (00:06:43:45:C6:15)
      and not that of the host sending the traffic.</para>
    </example>
  </section>
</article>