Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Blocking at firewall via MAC address

From: Ryan McBride <mcbride () countersiege com>
Date: Sun, 16 Dec 2001 12:31:38 -0500
On Sat, Dec 15, 2001 at 04:51:31PM -0500, B. Scott Harroff wrote:

The business partner has a simple requirement - if the laptops MAC address
does not match a list of predetermined addresses, it does not pass though
the firewall.  In my opinion this requirement is over design for the
environment, but I will meet it.

If there is a wizard that knows how to meet this requirement with OpenBSD
(2.9 or 3.0) / IPFilter, I'd really like to hear from you.   If not, I will
simply implement a switch that will meet the business partner's requirement.


The easiest way to do this is to set up the OpenBSD system in a
bridging firewall configuration. Have a look at the brconfig(8)
man page, and the EXAMPLES section in particular. 

I haven't tried it myself, but you might be able to use this in a
"regular" firewall by adding an interface. For example, if your
firewall has 3 interfaces:

fxp0 - "outside" interface, configured with external IP address(es)
fxp1 - "inside" interface, configured with internal IP address(es)
fxp2 - bridge interface, UP but no IP address

# brconfig bridge0 add fxp1 add fxp2 up
# brconfig bridge0 -learn fxp2 
# brconfig bridge0 -discover fxp0
# brconfig bridge0 static fxp2 aa:bb:cc:dd:ee:ff
# ...

Alternatively you could set up permanent arp entries using arp(8) for
all the valid IP address/MAC combinations and block all IPs not so
mapped with IPF/PF. 

-Ryan

-- 
Ryan T. McBride, CISSP - mcbride () countersiege com
Countersiege Systems Corporation - http://www.countersiege.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: