Re: Blocking at firewall via MAC address

[Roelof JT Jonkman <roel () SiliconDefense com>]

Scott,

> A business parter has a security requirement that only pre-identified and
> approved laptops (identified by MAC address acting as a physical token) can
> access a network behind a firewall.  Identification and blocking by IP
> address alone is not acceptable as it could be too easily changed by a user
> to match the IP address of an approved machine.

> Does anyone have a soltion on how to block via MAC address with OpenBSD?

This would imply you're implementing a bridging firewall rather than a 
routing (more common) firewall?? Hence the feature you're looking for is
documented in the manpage for brconfig. (Short for bridge config)

Now I'm guessing that the customer wants to prevent any laptop to
access the internet from within, and your firewall configuration is
a routing firewall. In that case you can turn arp off on the inside
interface (ifconfig de0 -arp for example) and hardcode a list of
mac addresses by means of 'arp -s <ip address> <mac address>

If the laptops are not directly connected to the firewall (via a router)
all this is moot, since in that case the mac address of the
router is what you will see, not the mac address of the laptop.

An additional solution would be (mentioned elsewhere in this thread)
to also include the dhcp server, and encode mac addresses in
that, however that is an extremely marginal protection, that doesn't
prevent a laptop user to pick an arbitrary address from the pile and
assign it statically.

I hope that this somewhat clarifies this.... feel free to ask.

        
Roel Jonkman
Security Engineer
http://www.silicondefense.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards