shorewall_code/Shorewall-docs/MAC_Validation.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title>MAC Verification</title>
                    
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
           
  <meta name="author" content="Tom Eastep">
</head>
  <body>
     
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#400169" height="90">
            <tbody>
           <tr>
             <td width="100%">                                          
            
      <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
    </h1>
             <br>
    </td>
           </tr>
                              
  </tbody>       
</table>
   <br>
   Beginning with Shorewall version 1.3.10, all traffic from an interface 
or  from a subnet on an interface can be verified to originate from a defined 
 set of MAC addresses. Furthermore, each MAC address may be optionally associated 
 with one or more IP addresses. There are four components to this facility.<br>
     
<ol>
     <li>The <b>maclist</b> interface option in <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.</li>
     <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. 
 When this option is specified for a subnet, all traffic from that subnet 
is subject to MAC verification.</li>
     <li>The /etc/shorewall/maclist file. This file is used to associate
MAC  addresses with interfaces and to optionally associate IP addresses with 
MAC  addresses.</li>
     <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables 
 in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The 
 MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines 
 the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL 
 variable gives the syslogd level at which connection requests that fail verification
 are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") 
 then failing connection requests are not logged.<br>
     </li>
     
</ol>
   The columns in /etc/shorewall/maclist are:<br>
     
<ul>
     <li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
     <li>MAC - The MAC address of a device on the ethernet segment connected 
 by INTERFACE. It is not necessary to use the Shorewall MAC format in this 
 column although you may use that format if you so choose.</li>
     <li>IP Address - An optional comma-separated list of IP addresses for
 the device whose MAC is listed in the MAC column.</li>
     
</ul>
     
<h3>Example 1: Here are my files:</h3>
   <b>/etc/shorewall/shorewall.conf:<br>
   </b>   
<pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
   <b>/etc/shorewall/interfaces:</b><br>
     
<pre>     #ZONE           INTERFACE       BROADCAST       OPTIONS<br>     net             eth0            206.124.146.255 norfc1918,filterping,dhcp,blacklist<br>     loc             eth2            192.168.1.255   dhcp,filterping,maclist<br>     dmz             eth1            192.168.2.255   filterping<br>     net             eth3            206.124.146.255 filterping,blacklist<br>     -               texas           192.168.9.255   filterping<br>     loc             ppp+            -               filterping<br></pre>
   <b>/etc/shorewall/maclist:</b><br>
     
<pre>     #INTERFACE              MAC                     IP ADDRESSES (Optional)<br>     eth2                    00:A0:CC:63:66:89       192.168.1.3     #Wookie<br>     eth2                    00:10:B5:EC:FD:0B       192.168.1.4     #Tarry<br>     eth2                    00:A0:CC:DB:31:C4       192.168.1.5     #Ursa<br>     eth2                    00:06:25:aa:a8:0f       192.168.1.7     #Eastept1 (Wireless)<br>     eth2                    00:04:5A:0E:85:B9       192.168.1.250   #Wap<br></pre>
   As shown above, I use MAC Verification on <a href="myfiles.htm">my local 
 zone</a>.<br>
     
<h3>Example 2: Router in Local Zone</h3>
   Suppose now that I add a second ethernet segment to my local zone and
gateway  that segment via a router with MAC address 00:06:43:45:C6:15 and
IP address  192.168.1.253. Hosts in the second segment have IP addresses
in the subnet  192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist 
 file:<br>
     
<pre>     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24<br></pre>
   This entry accomodates traffic from the router itself (192.168.1.253)
and  from the second LAN segment (192.168.2.0/24). Remember that all traffic 
being  sent to my firewall from the 192.168.2.0/24 segment will be forwarded 
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) 
 and not that of the host sending the traffic.   
<p><font size="2">   Updated 10/23/2002 - <a href="support.htm">Tom  Eastep</a>
     </font></p>
                                                                        
                                                                        
                                          
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> 
      &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
   <br>
   <br>
   <br>
  <br>
 <br>
</body>
</html>