MAC Verification

Beginning with Shorewall version 1.3.10, all traffic from an interface or from a subnet on an interface can be verified to originate from a defined set of MAC addresses. Furthermore, each MAC address may be optionally associated with one or more IP addresses.

You must have the iproute package (ip utility) installed to use MAC Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).

There are four components to this facility.

The maclist interface option in /etc/shorewall/interfaces. When this option is specified, all traffic arriving on the interface is subjet to MAC verification.
The maclist option in /etc/shorewall/hosts. When this option is specified for a subnet, all traffic from that subnet is subject to MAC verification.
The /etc/shorewall/maclist file. This file is used to associate MAC addresses with interfaces and to optionally associate IP addresses with MAC addresses.
The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables in /etc/shorewall/shorewall.conf. The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection requests that fail verification are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.

The columns in /etc/shorewall/maclist are:

INTERFACE - The name of an ethernet interface on the Shorewall system.
MAC - The MAC address of a device on the ethernet segment connected by INTERFACE. It is not necessary to use the Shorewall MAC format in this column although you may use that format if you so choose.
IP Address - An optional comma-separated list of IP addresses for the device whose MAC is listed in the MAC column.

Example 1: Here are my files:

/etc/shorewall/shorewall.conf:

     MACLIST_DISPOSITION=REJECT
     MACLIST_LOG_LEVEL=info

/etc/shorewall/interfaces:

     #ZONE           INTERFACE       BROADCAST       OPTIONS
     net             eth0            206.124.146.255 norfc1918,filterping,dhcp,blacklist
     loc             eth2            192.168.1.255   dhcp,filterping,maclist
     dmz             eth1            192.168.2.255   filterping
     net             eth3            206.124.146.255 filterping,blacklist
     -               texas           192.168.9.255   filterping
     loc             ppp+            -               filterping

/etc/shorewall/maclist:

     #INTERFACE              MAC                     IP ADDRESSES (Optional)
     eth2                    00:A0:CC:63:66:89       192.168.1.3      #Wookie
     eth2                    00:10:B5:EC:FD:0B       192.168.1.4      #Tarry
     eth2                    00:A0:CC:DB:31:C4       192.168.1.5      #Ursa
     eth2                    00:A0:CC:DB:31:C4       192.168.1.128/26 #PPTP Clients to server on Ursa
     eth2                    00:06:25:aa:a8:0f       192.168.1.7      #Eastept1 (Wireless)
     eth2                    00:04:5A:0E:85:B9       192.168.1.250    #Wap

As shown above, I use MAC Verification on my local zone.

Example 2: Router in Local Zone

Suppose now that I add a second ethernet segment to my local zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15 and IP address 192.168.1.253. Hosts in the second segment have IP addresses in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist file:

     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24

This entry accomodates traffic from the router itself (192.168.1.253) and from the second LAN segment (192.168.2.0/24). Remember that all traffic being sent to my firewall from the 192.168.2.0/24 segment will be forwarded by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) and not that of the host sending the traffic.

Updated 1/7/2002 - Tom Eastep