Firewall Wizards mailing list archives
RE: Static ARP firewall advice
From: "Josh Welch" <jwelch () buffalowildwings com>
Date: Fri, 9 Apr 2004 07:57:31 -0500
Greg Dickinson said:
I've done some fairly extensive research on this subject, and can't get a definitive answer. I solicit your advice. I manage the firewall for a local boarding school as a side job. The campused students are allowed to bring their own PC's to connect to the campus network for internet access in their rooms. The firewall has 4 interfaces, one for the administrative LAN, one for the internet, one for the dorm LAN, and one for the proxy server so it's in it's own "sandbox". We have statically assigned IP addresses for the students' PC's, so that we can run a proxy log analysis and determine which students are accessing which sites at what times. These statically assigned addresses are in specific allow statements in the ruleset (pf on OBSD 3.2). Recently the (rather bright) students here have figured out that they can simply "steal" someone else's address and avoid detection. I am currently in the process of reloading the proxy server to get it off RH9, but in the interim I was wondering if there is an easy/recommended way to accomplish this: I had the idea of adding static ARP entries in the firewall so that only the specified Layer 3 addresses that match the specified Layer 2 addresses can get through the firewall. However (as you can imagine) this is a nightmare to maintain, as well as difficult for the local administrator to add static ARP entries (he has to add the addresses to /etc/rc.local and reboot the firewall everytime [yes, I know a reboot is not required...but it's simpler... :-> ]) To summarize: is there an easy way to maintain static ARP entries using pf on OBSD 3.2? While the current firewall is OBSD, I am not married to this configuration - if there is an open source firewall product that will allow me to accomplish this easier, then I will recommend that to the admin. Thanks in advance for your time. --Greg
A particular annoyance of mine is when I pose a specific question on a list and I get a bunch of replies that suggest I do something entirely different, unfortunately I'm going to do that :) Is there a particular reason you haven't decided to implement user authentication on your proxy? It would allow you to track site visits by username rather than IP Address, you could then DHCP your students if you wanted to and remove that particular administrative hassle, unless it's needed for other reasons. Otherwise, I don't have any OpenBSD boxes to try out pf, but iptables can have rules written in such a fashion that if a machine has a certain combination of IP and MAC, it's allowed, place a rule at the end of the chain to DROP any other traffic and it will work. Assuming your proxy runs on port 80 it should be like this: -A INPUT -p tcp -m tcp --dport 80 -j matchmac -A matchmac -m mac --mac-source 00:C0:WE:45:E2:D4 -p tcp -s 192.168.0.1 -j ACCEPT -A matchmac -j logmac -A logmac -j LOG --log-prefix "BAD MAC IP COMBO:" --log-level 7 -A logmac -j DROP This will work, but if you have a large number of clients it will be icky, specifically at the beginning of the school year when you're trying to get everyone set up. I'd still suggest doing client authentication on your proxy. Josh _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Static ARP firewall advice Greg Dickinson (Apr 08)
- RE: Static ARP firewall advice Josh Welch (Apr 10)
- Re: Static ARP firewall advice Chuck Swiger (Apr 10)
- <Possible follow-ups>
- Re: Static ARP firewall advice Greg Dickinson (Apr 10)
- RE: Static ARP firewall advice Melson, Paul (Apr 16)