Firewall Wizards mailing list archives
Re: Blocking at firewall via MAC address
From: Ryan McBride <mcbride () countersiege com>
Date: Sun, 16 Dec 2001 12:31:38 -0500
On Sat, Dec 15, 2001 at 04:51:31PM -0500, B. Scott Harroff wrote:
The business partner has a simple requirement - if the laptops MAC address does not match a list of predetermined addresses, it does not pass though the firewall. In my opinion this requirement is over design for the environment, but I will meet it. If there is a wizard that knows how to meet this requirement with OpenBSD (2.9 or 3.0) / IPFilter, I'd really like to hear from you. If not, I will simply implement a switch that will meet the business partner's requirement.
The easiest way to do this is to set up the OpenBSD system in a bridging firewall configuration. Have a look at the brconfig(8) man page, and the EXAMPLES section in particular. I haven't tried it myself, but you might be able to use this in a "regular" firewall by adding an interface. For example, if your firewall has 3 interfaces: fxp0 - "outside" interface, configured with external IP address(es) fxp1 - "inside" interface, configured with internal IP address(es) fxp2 - bridge interface, UP but no IP address # brconfig bridge0 add fxp1 add fxp2 up # brconfig bridge0 -learn fxp2 # brconfig bridge0 -discover fxp0 # brconfig bridge0 static fxp2 aa:bb:cc:dd:ee:ff # ... Alternatively you could set up permanent arp entries using arp(8) for all the valid IP address/MAC combinations and block all IPs not so mapped with IPF/PF. -Ryan -- Ryan T. McBride, CISSP - mcbride () countersiege com Countersiege Systems Corporation - http://www.countersiege.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- potential network attacks Daniel Handley (Dec 13)
- Blocking at firewall via MAC address B. Scott Harroff (Dec 14)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 15)
- Re: Blocking at firewall via MAC address Paul Robertson (Dec 16)
- Re: Blocking at firewall via MAC address black (Dec 15)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 15)
- Re: Blocking at firewall via MAC address Stephen P. Berry (Dec 16)
- Re: Blocking at firewall via MAC address Mark Brown (Dec 17)
- Re: Blocking at firewall via MAC address R. DuFresne (Dec 16)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 16)
- Re: Blocking at firewall via MAC address Ryan McBride (Dec 17)
- Re: Blocking at firewall via MAC address Paul Cardon (Dec 17)
- Re: Blocking at firewall via MAC address David Lang (Dec 17)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 15)
- Blocking at firewall via MAC address B. Scott Harroff (Dec 14)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 17)
- potential network attacks Daniel Handley (Dec 14)