<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>MAC Verification</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="MAC_Validation"></a>MAC Verification</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001-2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id286316"></a><p>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
      License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Components">Components</a></span></dt><dt><span class="section"><a href="#maclist">/etc/shorewall/maclist</a></span></dt><dt><span class="section"><a href="#Examples">Examples</a></span></dt></dl></div><p>All traffic from an interface or from a subnet on an interface can be
  verified to originate from a defined set of MAC addresses. Furthermore, each
  MAC address may be optionally associated with one or more IP
  addresses.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>MAC addresses are only visible within an
    Ethernet segment so all MAC addresses used in verification must belong to
    devices physically connected to one of the LANs to which your firewall is
    connected.</strong></span></p><p><span class="bold"><strong>This means what it says! MAC addresses are
    only used within a LAN and never go outside of that LAN so please don't
    post on the mailing list asking how to use MAC addresses of computers
    connected to remote networks. The only MAC address that your firewall is
    going to see from these hosts is the MAC address of your upstream
    router.</strong></span></p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>Your kernel must include MAC match support
    (CONFIG_IP_NF_MATCH_MAC - module name ipt_mac.o).</strong></span></p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>MAC verification is only applied to new
    incoming connection requests. </strong></span></p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>DO NOT use MAC verification as your only
    security measure . MAC addresses can be easily spoofed. You can use it in
    combination with either <a class="ulink" href="IPSEC-2.6.html" target="_self">IPSEC</a> or
    <a class="ulink" href="OPENVPN.html" target="_self">OpenVPN</a>.</strong></span></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Components"></a>Components</h2></div></div></div><p>There are six components to this facility.</p><div class="orderedlist"><ol type="1"><li><p>The <span class="bold"><strong>maclist</strong></span> interface option in
        <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self">/etc/shorewall/interfaces</a>.
        When this option is specified, all new connection requests arriving on
        the interface are subject to MAC verification.</p></li><li><p>The <span class="bold"><strong>maclist</strong></span> option in <a class="ulink" href="manpages/shorewall-hosts.html" target="_self">/etc/shorewall/hosts</a>. When this
        option is specified for a subnet, all new connection requests from
        that subnet are subject to MAC verification.</p></li><li><p>The /etc/shorewall/maclist file. This file is used to associate
        MAC addresses with interfaces and to optionally associate IP addresses
        with MAC addresses.</p></li><li><p>The <span class="bold"><strong>MACLIST_DISPOSITION</strong></span> and
        <span class="bold"><strong>MACLIST_LOG_LEVEL</strong></span> variables in <a class="ulink" href="manpages/shorewall.conf.html" target="_self">/etc/shorewall/shorewall.conf</a>.
        The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
        and determines the disposition of connection requests that fail MAC
        verification. The MACLIST_LOG_LEVEL variable gives the syslogd level
        at which connection requests that fail verification are to be logged.
        If set the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
        connection requests are not logged.</p></li><li><p>Beginning with Shorewall 2.2.3, the <span class="bold"><strong>MACLIST_TTL</strong></span> variable in <a class="ulink" href="???" target="_self">/etc/shorewall/shorewall.conf</a>. The performance of
        configurations with a large numbers of entries in
        /etc/shorewall/maclist can be improved by setting the MACLIST_TTL
        variable.</p><p>If your iptables and kernel support the "Recent Match" (see the
        output of "shorewall check" near the top), you can cache the results
        of a 'maclist' file lookup and thus reduce the overhead associated
        with MAC Verification.</p><p>When a new connection arrives from a 'maclist' interface, the
        packet passes through the list of entries for that interface in
        /etc/shorewall/maclist. If there is a match then the source IP address
        is added to the 'Recent' set for that interface. Subsequent connection
        attempts from that IP address occurring within $MACLIST_TTL seconds
        will be accepted without having to scan all of the entries. After
        $MACLIST_TTL from the first accepted connection request from an IP
        address, the next connection request from that IP address will be
        checked against the entire list.</p><p>If MACLIST_TTL is not specified or is specified as empty (e.g,
        MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
        be cached).</p></li><li><p>Beginning with Shorewall 2.4.6, the <span class="bold"><strong>MACLIST_TABLE</strong></span> variable in <a class="ulink" href="???" target="_self">/etc/shorewall/shorewall.conf</a>. Normally, MAC
        verification occurs in the filter table (INPUT and FORWARD) chains.
        When forwarding a packet from an interface with MAC verification to a
        bridge interface, that doesn't work.</p><p>This problem can be worked around by setting
        MACLIST_TABLE=mangle which will cause MAC verification to occur out of
        the PREROUTING chain. Because REJECT isn't available in that
        environment, you may not specify MACLIST_DISPOSITION=REJECT with
        MACLIST_TABLE=mangle.</p></li></ol></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="maclist"></a>/etc/shorewall/maclist</h2></div></div></div><p>The columns in /etc/shorewall/maclist are:</p><div class="variablelist"><dl><dt><span class="term">DISPOSITION (Added in Shorewall version 3.1)</span></dt><dd><p>Must be ACCEPT, DROP or REJECT (REJECT may not be specified if
          <span class="bold"><strong>MACLIST_TABLE</strong></span>=mangle). May be
          optionally followed by ":" and a log level to cause packets matching
          the rule to be logged.</p></dd><dt><span class="term">INTERFACE</span></dt><dd><p>The name of an Ethernet interface on the Shorewall
          system.</p></dd><dt><span class="term">MAC</span></dt><dd><p>The MAC address of a device on the Ethernet segment connected
          by INTERFACE. It is not necessary to use the Shorewall MAC format in
          this column although you may use that format if you so choose.
          Beginning with Shorewall 3.1, you may specify "-" here if you enter
          an IP address in the next column.</p></dd><dt><span class="term">IP Address</span></dt><dd><p>An optional comma-separated list of IP addresses for the
          device whose MAC is listed in the MAC column.</p></dd></dl></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Examples"></a>Examples</h2></div></div></div><div class="example"><a id="Example1"></a><p class="title"><b>Example 1. Here are my files</b></p><div class="example-contents"><p>/etc/shorewall/shorewall.conf:</p><pre class="programlisting">MACLIST_DISPOSITION=REJECT
MACLIST_LOG_LEVEL=info</pre><p>/etc/shorewall/interfaces:</p><pre class="programlisting">#ZONE   INTERFACE       BROADCAST       OPTIONS
net     $EXT_IF         206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc     $INT_IF         192.168.1.255   dhcp
dmz     $DMZ_IF         -
vpn     tun+            -
Wifi    $WIFI_IF        -               maclist,dhcp
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</pre><p>/etc/shorewall/maclist:</p><pre class="programlisting">#INTERFACE              MAC                     IP ADDRESSES (Optional)
$WIFI_IF                00:04:5e:3f:85:b9                       #WAP11
$WIFI_IF                00:06:25:95:33:3c                       #WET11
$WIFI_IF                00:0b:4d:53:cc:97       192.168.3.8     #TIPPER
$WIFI_IF                00:1f:79:cd:fe:2e       192.168.3.6     #Work Laptop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre><p>As shown above, I use MAC Verification on my wireless zone.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>While marketed as a wireless bridge, the WET11 behaves like a
          wireless router with DHCP relay. When forwarding DHCP traffic, it
          uses the MAC address of the host (TIPPER) but for other forwarded
          traffic it uses its own MAC address. Consequently, I list the IP
          addresses of both devices in /etc/shorewall/maclist.</p></div></div></div><br class="example-break" /><div class="example"><a id="Example2"></a><p class="title"><b>Example 2. Router in Wireless Zone</b></p><div class="example-contents"><p>Suppose now that I add a second wireless segment to my wireless
      zone and gateway that segment via a router with MAC address
      00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
      segment have IP addresses in the subnet 192.168.4.0/24. I would add the
      following entry to my /etc/shorewall/maclist file:</p><pre class="programlisting"> $WIFI_IF                    00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24</pre><p>This entry accommodates traffic from the router itself
      (192.168.3.253) and from the second wireless segment (192.168.4.0/24).
      Remember that all traffic being sent to my firewall from the
      192.168.4.0/24 segment will be forwarded by the router so that traffic's
      MAC address will be that of the router (00:06:43:45:C6:15) and not that
      of the host sending the traffic.</p></div></div><br class="example-break" /></div></div></body></html>