MAC Verification
Tom
Eastep
2005-03-11
2001-2005
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
All traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore, each
MAC address may be optionally associated with one or more IP
addresses.
MAC addresses are only visible within an
ethernet segment so all MAC addresses used in verification must belong to
devices physically connected to one of the LANs to which your firewall is
connected.
Your kernel must include MAC match support
(CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).
MAC verification is only applied to new
incoming connection requests.
Components
There are four components to this facility.
The maclist interface option in
/etc/shorewall/interfaces.
When this option is specified, all new connection requests arriving on
the interface are subject to MAC verification.
The maclist option in /etc/shorewall/hosts. When this
option is specified for a subnet, all new connection requests from
that subnet are subject to MAC verification.
The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.
The MACLIST_DISPOSITION and
MACLIST_LOG_LEVEL variables in /etc/shorewall/shorewall.conf.
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level
at which connection requests that fail verification are to be logged.
If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
connection requests are not logged.
/etc/shorewall/maclist
The columns in /etc/shorewall/maclist are:
INTERFACE
The name of an ethernet interface on the Shorewall
system.
MAC
The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in
this column although you may use that format if you so
choose.
IP Address
An optional comma-separated list of IP addresses for the
device whose MAC is listed in the MAC column.
Examples
Here are my files (look here for
details about my setup)
/etc/shorewall/shorewall.conf:
MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF 192.168.1.255 dhcp
dmz $DMZ_IF -
vpn tun+ -
Wifi $WIFI_IF - maclist,dhcp
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/shorewall/maclist:
#INTERFACE MAC IP ADDRESSES (Optional)
$WIFI_IF 00:04:5e:3f:85:b9 #WAP11
$WIFI_IF 00:06:25:95:33:3c #WET11
$WIFI_IF 00:0b:4d:53:cc:97 192.168.3.8 #TIPPER
$WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
As shown above, I use MAC Verification on my wireless zone.
While marketed as a wireless bridge, the WET11 behaves like a
wireless router with DHCP relay. When forwarding DHCP traffic, it
uses the MAC address of the host (TIPPER) but for other forwarded
traffic it uses it's own MAC address. Consequently, I list the IP
addresses of both devices in /etc/shorewall/maclist.
Router in Wireless Zone
Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
following entry to my /etc/shorewall/maclist file:
$WIFI_IF 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24
This entry accomodates traffic from the router itself
(192.168.3.253) and from the second wireless segment (192.168.4.0/24).
Remember that all traffic being sent to my firewall from the
192.168.4.0/24 segment will be forwarded by the router so that traffic's
MAC address will be that of the router (00:06:43:45:C6:15) and not that
of the host sending the traffic.