<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title>MAC Verification</title>
                     
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
            
  <meta name="author" content="Tom Eastep">
</head>
  <body>
      
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#400169" height="90">
                    <tbody>
                   <tr>
                     <td width="100%">                      
      <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
            </h1>
                     <br>
            </td>
                   </tr>
            
  </tbody>   
</table>
           <br>
           All traffic from an interface    or  from a subnet on an interface 
 can be verified to originate from a defined     set of MAC addresses. Furthermore, 
 each MAC address may be optionally associated    with one or more IP addresses. 
 <br>
       <br>
       <b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC 
  - module name ipt_mac.o).</b><br>
       <br>
       There are four components to this facility.<br>
      
<ol>
             <li>The <b>maclist</b> interface option in <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.</li>
             <li>The <b>maclist </b>option in <a
 href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option 
  is specified for a subnet, all traffic from that subnet  is subject to MAC
  verification.</li>
             <li>The /etc/shorewall/maclist file. This file is used to associate 
   MAC  addresses with interfaces and to optionally associate IP addresses 
 with  MAC  addresses.</li>
             <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
    </b>variables      in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> 
  The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT 
and  determines   the disposition of connection requests that fail MAC verification. 
  The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection 
  requests that fail verification  are to be logged. If set the the empty 
value  (e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are 
not logged.<br>
             </li>
      
</ol>
           The columns in /etc/shorewall/maclist are:<br>
      
<ul>
             <li>INTERFACE - The name of an ethernet interface on the Shorewall 
   system.</li>
             <li>MAC - The MAC address of a device on the ethernet segment
 connected     by INTERFACE. It is not necessary to use the Shorewall MAC
format in this     column although you may use that format if you so choose.</li>
             <li>IP Address - An optional comma-separated list of IP addresses 
  for   the device whose MAC is listed in the MAC column.</li>
      
</ul>
      
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for
details about my setup):</h3>
           <b>/etc/shorewall/shorewall.conf:<br>
           </b>   
<pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
           <b>/etc/shorewall/interfaces:</b><br>
      
<blockquote>      
  <pre>#ZONE   INTERFACE        BROADCAST       OPTIONS<br>net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc     eth2            192.168.1.255   dhcp<br>dmz     eth1            192.168.2.255<br>WiFi    eth3            192.168.3.255   dhcp,maclist<br>-       texas           192.168.9.255</pre>
  </blockquote>
           <b>/etc/shorewall/maclist:</b><br>
      
<blockquote>      
  <pre>#INTERFACE              MAC                     IP ADDRESSES (Optional)<br>eth3                    00:A0:CC:A2:0C:A0       192.168.3.7                 #Work Laptop<br>eth3                    00:04:5a:fe:85:b9       192.168.3.250               #WAP11<br>eth3                    00:06:25:56:33:3c       192.168.3.225,192.168.3.8   #WET11<br>eth3                    00:0b:cd:C4:cc:97       192.168.3.8                 #TIPPER</pre>
  </blockquote>
  As shown above, I use MAC Verification on my wireless zone.<br>
 <br>
 <b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses
the MAC address of the host (TIPPER) but for other forwarded traffic it uses
it's own MAC address. Consequently, I list the IP addresses of both devices
in /etc/shorewall/maclist.<br>
      
<h3>Example 2: Router in Wireless Zone</h3>
           Suppose now that I add a second wireless segment to my wireless
 zone and   gateway  that segment via a router with MAC address 00:06:43:45:C6:15 
 and   IP address  192.168.3.253. Hosts in the second segment have IP addresses 
  in the subnet  192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist 
     file:<br>
      
<pre>     eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24<br></pre>
           This entry accomodates traffic from the router itself (192.168.3.253) 
   and  from the second wireless segment (192.168.4.0/24). Remember that all
traffic    being  sent to my firewall from the 192.168.4.0/24 segment will
be forwarded    by the router so that traffic's MAC address will be that
of the router (00:06:43:45:C6:15)    and not that of the host sending the
traffic.    
<p><font size="2">   Updated 6/30/2002 - <a href="support.htm">Tom  Eastep</a> 
        </font></p>
        
<p><a href="copyright.htm"><font size="2">Copyright</font>         &copy; 
  <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
     </p>
     <br>
    <br>
   <br>
  <br>
 <br>
</body>
</html>