shorewall_code/Shorewall-docs/MAC_Validation.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <title>MAC Verification</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
</head>
<body>
<br>
<h1 style="text-align: center;">MAC Verification<br>
</h1>
All traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP
addresses. <br>
<br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<ol>
  <li>The <b>maclist</b> interface option in <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
When
this option is specified, all traffic arriving on the interface is
subjet
to MAC verification.</li>
  <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that
subnet is subject to
MAC verification.</li>
  <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
  <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
which connection requests that fail verification are to be logged. If
set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
connection requests are not logged.<br>
  </li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
<ul>
  <li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
  <li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC
format in this column although you may use that format if you so choose.</li>
  <li>IP Address - An optional comma-separated list of IP addresses for
the device whose MAC is listed in the MAC column.</li>
</ul>
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
for details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br>
<blockquote>
  <pre>#ZONE   INTERFACE        BROADCAST       OPTIONS<br>net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc     eth2            192.168.1.255   dhcp<br>dmz     eth1            192.168.2.255<br>WiFi    eth3            192.168.3.255   dhcp,maclist<br>-       texas           192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<blockquote>
  <pre>#INTERFACE              MAC                     IP ADDRESSES (Optional)<br>eth3                    00:A0:CC:A2:0C:A0       192.168.3.7                 #Work Laptop<br>eth3                    00:04:5a:fe:85:b9       192.168.3.250               #WAP11<br>eth3                    00:06:25:56:33:3c       192.168.3.225,192.168.3.8   #WET11<br>eth3                    00:0b:cd:C4:cc:97       192.168.3.8                 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
like a wireless router with DHCP relay. When forwarding DHCP traffic,
it uses the
MAC address of the host (TIPPER) but for other forwarded traffic it
uses it's
own MAC address. Consequently, I list the IP addresses of both devices
in
/etc/shorewall/maclist.<br>
<h3>Example 2: Router in Wireless Zone</h3>
Suppose now that I add a second wireless segment to my wireless zone
and gateway that segment via a router with MAC address
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
following entry to my /etc/shorewall/maclist file:<br>
<pre>     eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>