Firewall Wizards mailing list archives
Re: Blocking at firewall via MAC address
From: Roelof JT Jonkman <roel () SiliconDefense com>
Date: Fri, 21 Dec 2001 19:07:23 -0800
Scott,
A business parter has a security requirement that only pre-identified and approved laptops (identified by MAC address acting as a physical token) can access a network behind a firewall. Identification and blocking by IP address alone is not acceptable as it could be too easily changed by a user to match the IP address of an approved machine.
Does anyone have a soltion on how to block via MAC address with OpenBSD?
This would imply you're implementing a bridging firewall rather than a routing (more common) firewall?? Hence the feature you're looking for is documented in the manpage for brconfig. (Short for bridge config) Now I'm guessing that the customer wants to prevent any laptop to access the internet from within, and your firewall configuration is a routing firewall. In that case you can turn arp off on the inside interface (ifconfig de0 -arp for example) and hardcode a list of mac addresses by means of 'arp -s <ip address> <mac address> If the laptops are not directly connected to the firewall (via a router) all this is moot, since in that case the mac address of the router is what you will see, not the mac address of the laptop. An additional solution would be (mentioned elsewhere in this thread) to also include the dhcp server, and encode mac addresses in that, however that is an extremely marginal protection, that doesn't prevent a laptop user to pick an arbitrary address from the pile and assign it statically. I hope that this somewhat clarifies this.... feel free to ask. Roel Jonkman Security Engineer http://www.silicondefense.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Blocking at firewall via MAC address, (continued)
- Re: Blocking at firewall via MAC address Mark Brown (Dec 17)
- Re: Blocking at firewall via MAC address R. DuFresne (Dec 16)
- Re: Blocking at firewall via MAC address B. Scott Harroff (Dec 16)
- Re: Blocking at firewall via MAC address Ryan McBride (Dec 17)
- Re: Blocking at firewall via MAC address Paul Cardon (Dec 17)
- Re: Blocking at firewall via MAC address David Lang (Dec 17)
- Re: Blocking at firewall via MAC address Patrick Darden (Dec 17)
- Re: Blocking at firewall via MAC address Ryan Russell (Dec 15)
- Re: Blocking at firewall via MAC address Jeffrey Macko (Dec 15)
- Re: Blocking at firewall via MAC address Mark Coleman (Dec 15)
- Re: Blocking at firewall via MAC address Roelof JT Jonkman (Dec 22)
- potential network attacks Daniel Handley (Dec 14)
- Re: potential network attacks black (Dec 15)
- Re: potential network attacks Paul Robertson (Dec 16)
- RE: potential network attacks Wayne T Work (Dec 15)
- RE: potential network attacks John Adams (Dec 16)