All traffic from an interface or from a subnet on an interface
can be verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP addresses.
Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
- module name ipt_mac.o).
There are four components to this facility.
- The maclist interface option in /etc/shorewall/interfaces. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.
- The maclist option in /etc/shorewall/hosts. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC
verification.
- The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.
- The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL
variables in /etc/shorewall/shorewall.conf.
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.
The columns in /etc/shorewall/maclist are:
- INTERFACE - The name of an ethernet interface on the Shorewall
system.
- MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC
format in this column although you may use that format if you so choose.
- IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.
Example 1: Here are my files (look here for
details about my setup):
/etc/shorewall/shorewall.conf:
MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp
dmz eth1 192.168.2.255
WiFi eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255
/etc/shorewall/maclist:
#INTERFACE MAC IP ADDRESSES (Optional)
eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop
eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11
eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11
eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER
As shown above, I use MAC Verification on my wireless zone.
Note: While marketed as a wireless bridge, the WET11 behaves like
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses
the MAC address of the host (TIPPER) but for other forwarded traffic it uses
it's own MAC address. Consequently, I list the IP addresses of both devices
in /etc/shorewall/maclist.
Example 2: Router in Wireless Zone
Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.3.253. Hosts in the second segment have IP addresses
in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
file:
eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that all
traffic being sent to my firewall from the 192.168.4.0/24 segment will
be forwarded by the router so that traffic's MAC address will be that
of the router (00:06:43:45:C6:15) and not that of the host sending the
traffic.
Updated 6/30/2002 - Tom Eastep
Copyright ©
2001, 2002, 2003 Thomas M. Eastep.