forked from extern/shorewall_code
107 lines
5.4 KiB
HTML
107 lines
5.4 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
<html>
|
||
|
<head>
|
||
|
<title>MAC Verification</title>
|
||
|
|
||
|
<meta http-equiv="content-type"
|
||
|
content="text/html; charset=ISO-8859-1">
|
||
|
|
||
|
<meta name="author" content="Tom Eastep">
|
||
|
</head>
|
||
|
<body>
|
||
|
|
||
|
<table border="0" cellpadding="0" cellspacing="0"
|
||
|
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||
|
bgcolor="#400169" height="90">
|
||
|
<tbody>
|
||
|
<tr>
|
||
|
<td width="100%">
|
||
|
|
||
|
<h1 align="center"><font color="#ffffff">MAC Verification</font><br>
|
||
|
</h1>
|
||
|
<br>
|
||
|
</td>
|
||
|
</tr>
|
||
|
|
||
|
</tbody>
|
||
|
</table>
|
||
|
<br>
|
||
|
Beginning with Shorewall version 1.3.10, all traffic from an interface
|
||
|
or from a subnet on an interface can be verified to originate from a defined
|
||
|
set of MAC addresses. Furthermore, each MAC address may be optionally associated
|
||
|
with one or more IP addresses. There are four components to this facility.<br>
|
||
|
|
||
|
<ol>
|
||
|
<li>The <b>maclist</b> interface option in <a
|
||
|
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
|
||
|
option is specified, all traffic arriving on the interface is subjet to MAC
|
||
|
verification.</li>
|
||
|
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
|
||
|
When this option is specified for a subnet, all traffic from that subnet
|
||
|
is subject to MAC verification.</li>
|
||
|
<li>The /etc/shorewall/maclist file. This file is used to associate
|
||
|
MAC addresses with interfaces and to optionally associate IP addresses with
|
||
|
MAC addresses.</li>
|
||
|
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
|
||
|
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> The
|
||
|
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
|
||
|
the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL
|
||
|
variable gives the syslogd level at which connection requests that fail verification
|
||
|
are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="")
|
||
|
then failing connection requests are not logged.<br>
|
||
|
</li>
|
||
|
|
||
|
</ol>
|
||
|
The columns in /etc/shorewall/maclist are:<br>
|
||
|
|
||
|
<ul>
|
||
|
<li>INTERFACE - The name of an ethernet interface on the Shorewall system.</li>
|
||
|
<li>MAC - The MAC address of a device on the ethernet segment connected
|
||
|
by INTERFACE. It is not necessary to use the Shorewall MAC format in this
|
||
|
column although you may use that format if you so choose.</li>
|
||
|
<li>IP Address - An optional comma-separated list of IP addresses for
|
||
|
the device whose MAC is listed in the MAC column.</li>
|
||
|
|
||
|
</ul>
|
||
|
|
||
|
<h3>Example 1: Here are my files:</h3>
|
||
|
<b>/etc/shorewall/shorewall.conf:<br>
|
||
|
</b>
|
||
|
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
|
||
|
<b>/etc/shorewall/interfaces:</b><br>
|
||
|
|
||
|
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre>
|
||
|
<b>/etc/shorewall/maclist:</b><br>
|
||
|
|
||
|
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
|
||
|
As shown above, I use MAC Verification on <a href="myfiles.htm">my local
|
||
|
zone</a>.<br>
|
||
|
|
||
|
<h3>Example 2: Router in Local Zone</h3>
|
||
|
Suppose now that I add a second ethernet segment to my local zone and
|
||
|
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
|
||
|
IP address 192.168.1.253. Hosts in the second segment have IP addresses
|
||
|
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
|
||
|
file:<br>
|
||
|
|
||
|
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
|
||
|
This entry accomodates traffic from the router itself (192.168.1.253)
|
||
|
and from the second LAN segment (192.168.2.0/24). Remember that all traffic
|
||
|
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
|
||
|
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
|
||
|
and not that of the host sending the traffic.
|
||
|
<p><font size="2"> Updated 10/23/2002 - <a href="support.htm">Tom Eastep</a>
|
||
|
</font></p>
|
||
|
|
||
|
|
||
|
|
||
|
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||
|
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||
|
<br>
|
||
|
<br>
|
||
|
<br>
|
||
|
<br>
|
||
|
<br>
|
||
|
</body>
|
||
|
</html>
|