Re: PF MAC Filter
No, it is not possible. And you should remember that a setup like that can cut you off by mistake; everyone who had to deal with a Fw-1 and the f***ng arp-cache should know ... And another thing : In Ethernet terms, you can only see MAC's on your ethernet segment (eg a router,switch) etc, so if you a have a router in front of your pf firewall, MAC filterering can only make sure, that this is the router your are dealing with. As far as I remember, you will never see the MAC's of hosts BEFORE the router. So to mee it seems only like some anti-spoofing techniq with limited ability; Are you sure you want that ? Perhaps you should specify your intention a bit clearer. - Original Message - From: Shawn Mitchell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 10:26 AM Subject: PF MAC Filter Is it possable to specify a MAC Address filter? And just to go ahead and cut off the trolls on MAC Filtering... I know you can change your MAC address. I don't care that you can. I'm wanting to place a few filters that will stop 98% of the people out there, and put something in place to where I can force an IP Address to be used only by a specified network interface.
Re: PF MAC Filter
On Wed, Feb 26, 2003 at 03:26:28AM -0600, Shawn Mitchell wrote: Is it possable to specify a MAC Address filter? And just to go ahead and cut off the trolls on MAC Filtering... I know you can change your MAC address. I don't care that you can. I'm wanting to place a few filters that will stop 98% of the people out there, and put something in place to where I can force an IP Address to be used only by a specified network interface. Hi, Different network layer than PF, it won't work. However: man brconfig ==ml -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Absolute BSD: http://www.AbsoluteBSD.com/
RE: PF MAC Filter
Yeah.. and my openbsd box is the router. I have 2 qfe cards in it. I'm just wanting a way to where I can ensure (dosn't have to be 100% mind you) that only some people can get through the box. The DHCP server only gives out static IP Addresses, according to the MAC Address. I don't want to spend a bunch of time making it 100% secure, but I'm wanting to accomplish two main things. Control access a little, and make sure that someone dosn't give their machine a static IP Address and do network traffic through the router. Just a little pre-filtering to stop the ignorant people, and the wanna-be hackers. -Shawn -Original Message- From: Stefan Sonnenberg-Carstens [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 9:12 AM To: Shawn Mitchell; [EMAIL PROTECTED] Subject: Re: PF MAC Filter No, it is not possible. And you should remember that a setup like that can cut you off by mistake; everyone who had to deal with a Fw-1 and the f***ng arp-cache should know ... And another thing : In Ethernet terms, you can only see MAC's on your ethernet segment (eg a router,switch) etc, so if you a have a router in front of your pf firewall, MAC filterering can only make sure, that this is the router your are dealing with. As far as I remember, you will never see the MAC's of hosts BEFORE the router. So to mee it seems only like some anti-spoofing techniq with limited ability; Are you sure you want that ? Perhaps you should specify your intention a bit clearer. - Original Message - From: Shawn Mitchell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 10:26 AM Subject: PF MAC Filter Is it possable to specify a MAC Address filter? And just to go ahead and cut off the trolls on MAC Filtering... I know you can change your MAC address. I don't care that you can. I'm wanting to place a few filters that will stop 98% of the people out there, and put something in place to where I can force an IP Address to be used only by a specified network interface.
Re: PF MAC Filter
On Wed, Feb 26, 2003 at 06:13:38PM -0600, Shawn Mitchell wrote: Just a little pre-filtering to stop the ignorant people, and the wanna-be hackers. For MAC level filtering, you'll need a bridge. See brconfig(8) about how to filter on MAC addresses. pf will still work on a bridge, and you can do the IP level filtering with pf on the same box. pf itself does not (and will not) filter on MAC addresses, as has been discussed in-depth many times before. If you're interested in the old discussions, the mailing list archives will help you. Daniel
Re: PF MAC Filter
Shawn Mitchell [EMAIL PROTECTED] wrote : Is it possable to specify a MAC Address filter? Yes, with transparent firewalling (bridge mode) : see FAQ 6.10 http://www.openbsd.org/faq/faq6.html#Bridge Do you block some nasty attacks with ARP : ARP spoofing with tools like Hunt or Arp-sk ? Be carefull with bridge mode : a good configuration is difficult and may be a source of problems. Foxy. -- Laurent Cheylus [EMAIL PROTECTED] OpenPGP ID 0x5B766EC2
RE: PF MAC Filter
I went looking there.. but I just found old archives.. and a bunch of well linux has it arguments. I personaly don't care who has what, I just care about who's works the best for what I need it to do. That's why I converted some of my firewalls from Linux's iptables, to OpenBSD and pf... I like it more... thx for the info though! -Shawn -Original Message- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 6:21 PM To: Shawn Mitchell Cc: Stefan Sonnenberg-Carstens; [EMAIL PROTECTED] Subject: Re: PF MAC Filter On Wed, Feb 26, 2003 at 06:13:38PM -0600, Shawn Mitchell wrote: Just a little pre-filtering to stop the ignorant people, and the wanna-be hackers. For MAC level filtering, you'll need a bridge. See brconfig(8) about how to filter on MAC addresses. pf will still work on a bridge, and you can do the IP level filtering with pf on the same box. pf itself does not (and will not) filter on MAC addresses, as has been discussed in-depth many times before. If you're interested in the old discussions, the mailing list archives will help you. Daniel
Re: PF MAC Filter
Laurent Cheylus wrote: Shawn Mitchell [EMAIL PROTECTED] wrote : Is it possable to specify a MAC Address filter? Yes, with transparent firewalling (bridge mode) : see FAQ 6.10 http://www.openbsd.org/faq/faq6.html#Bridge Do you block some nasty attacks with ARP : ARP spoofing with tools like Hunt or Arp-sk ? Be carefull with bridge mode : a good configuration is difficult and may be a source of problems. Foxy. Do you (or anyone else) mind commenting on what those problems might be? I'm running a bridging firewall here at home and am curious what to look/watch for. TIA, Darren Spruell
