MAC Verification



All traffic from an interface or from a subnet on an interface can be verified to originate from a defined set of MAC addresses. Furthermore, each MAC address may be optionally associated with one or more IP addresses.

Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).

There are four components to this facility.
  1. The maclist interface option in /etc/shorewall/interfaces. When this option is specified, all traffic arriving on the interface is subjet to MAC verification.
  2. The maclist option in /etc/shorewall/hosts. When this option is specified for a subnet, all traffic from that subnet is subject to MAC verification.
  3. The /etc/shorewall/maclist file. This file is used to associate MAC addresses with interfaces and to optionally associate IP addresses with MAC addresses.
  4. The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables in /etc/shorewall/shorewall.conf. The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines the disposition of connection requests that fail MAC verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection requests that fail verification are to be logged. If set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.
The columns in /etc/shorewall/maclist are:

Example 1: Here are my files:

/etc/shorewall/shorewall.conf:
     MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info
/etc/shorewall/interfaces:
#ZONE   INTERFACE        BROADCAST       OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp
dmz eth1 192.168.2.255
wap eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255
/etc/shorewall/maclist:
#INTERFACE              MAC                     IP ADDRESSES (Optional)
eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop
eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11
eth3 00:06:25:56:33:3c #WET11
eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER
As shown above, I use MAC Verification on my wireless zone.

Note: The WET11 is a somewhat curious device; when forwarding DHCP traffic, it uses the MAC address of the host (TIPPER) but for other forwarded traffic it uses it's own MAC address. Consequently, I don't assign the WET11 a fixed IP address in /etc/shorewall/maclist.

Example 2: Router in Local Zone

Suppose now that I add a second wireless segment to my wireless zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second segment have IP addresses in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist file:
     eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24
This entry accomodates traffic from the router itself (192.168.3.253) and from the second wireless segment (192.168.4.0/24). Remember that all traffic being sent to my firewall from the 192.168.4.0/24 segment will be forwarded by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15) and not that of the host sending the traffic.

Updated 6/10/2002 - Tom Eastep

Copyright © 2001, 2002, 2003 Thomas M. Eastep.