Beginning with Shorewall version 1.3.10, all traffic from an interface
or from a subnet on an interface can be verified to originate from a defined
set of MAC addresses. Furthermore, each MAC address may be optionally associated
with one or more IP addresses.
You must have the iproute package (ip utility) installed to use MAC Verification
and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
module name ipt_mac.o).
There are four components to this facility.
- The maclist interface option in /etc/shorewall/interfaces. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.
- The maclist option in /etc/shorewall/hosts. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC
verification.
- The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.
- The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables
in /etc/shorewall/shorewall.conf. The
MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and determines
the disposition of connection requests that fail MAC verification. The
MACLIST_LOG_LEVEL variable gives the syslogd level at which connection requests
that fail verification are to be logged. If set the the empty value (e.g.,
MACLIST_LOG_LEVEL="") then failing connection requests are not logged.
The columns in /etc/shorewall/maclist are:
- INTERFACE - The name of an ethernet interface on the Shorewall
system.
- MAC - The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in this
column although you may use that format if you so choose.
- IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.
Example 1: Here are my files:
/etc/shorewall/shorewall.conf:
MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist
loc eth2 192.168.1.255 dhcp,filterping,maclist
dmz eth1 192.168.2.255 filterping
net eth3 206.124.146.255 filterping,blacklist
- texas 192.168.9.255 filterping
loc ppp+ - filterping
/etc/shorewall/maclist:
#INTERFACE MAC IP ADDRESSES (Optional)
eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie
eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry
eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa
eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)
eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap
As shown above, I use MAC Verification on my local
zone.
Example 2: Router in Local Zone
Suppose now that I add a second ethernet segment to my local zone and
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
IP address 192.168.1.253. Hosts in the second segment have IP addresses
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
file:
eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24
This entry accomodates traffic from the router itself (192.168.1.253)
and from the second LAN segment (192.168.2.0/24). Remember that all traffic
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
and not that of the host sending the traffic.
Updated 12/29/2002 - Tom Eastep
Copyright
© 2001, 2002 Thomas M. Eastep.