Re: RE : mac-address...

[Jim Klimov]

 Hello, Gabrielle et al.

I'm a bit late to the argument, but still would like to add
a couple of cents:

1) As many wrote before me in other words, IPFilter
deals with Layer-3 and -4 protocols (IP / TCP/UDP/../)
while MAC addresses pertain to a different Layer 2,
particularly as implemented by Ethernet FRAMES
(which incapsulate IP PACKETS as their payload
with addition of MAC addresses, etc.).

2) There are many situations where your firewall may
not be in position to know MAC addresses of hosts -
simply because it lives in a different ethernet segment.
A basic example is the standard DMZ construct,
where you have a number of internet-facing servers
firewalled from both the internet and the corporate
network.

In some cases the external firewall can deal with NAT
for private LAN addresses - but the separate internal
firewall which routes the packets from LAN to internet
via the external NAT/firewall has already removed
original MAC addresses. Because this is a different
segment, and same packets are incapsulated into
new frames. And you're lucky if this is also Ethernet,
and not some ATM domain ;)

3) There are also situations where your firewall
deals with IPs (even with dynamically assigned
ones) while there is no Ethernet segment and no
individual MAC addresses in particular.

Two examples I live with daily are:
a] OpenVPN - staff log in from internet and receive
temporary private IPs (which can be assigned in a
static manner), and then can be NATed to external
networks such as those of supported customers.
MAC addresses in this case can be those of the
firewall host (which also runs OpenVPN server).

b] VirtualBox on OpenSolaris. Quite often many
VMs can share the MAC address of their host
interface, but still be very different IPs and OSes.
And in case of Virtual Desktop Infrastructure
they may also get dynamic addresses and require
NAT or filtering.

----

Having said all that, who can stop you from coding
in an architecture to filter MAC addresses in IPFilter? ;)
As a hint, libnet and derived sniffer tools like tcpdump
can display MACs. So it is all possible.

So you should take care to make it expandable
beyond Ethernet, but this seems like a doable quest.



2010-07-31 23:55, Ross Cameron пишет:

On Fri, Jul 30, 2010 at 8:06 PM, Wayne Rasmussen <wa...@gomonarch.com <mailto:wa...@gomonarch.com>> wrote:

    Doesn't this have to be done at the router?  IIRC, once a packet
    passes through a router, the mac address in the packet is set to
    the mac of the router.

No what you're thinking about is NAT (the source IP of the packets looks like its the outbound IP of the router).

    MAC addresses are obscured as soon as packets are routed.

Plus in 99% of cases the firewall (where original mailer wants to block traffic based on MAC address) IS routing traffic after a fashion anyway.

The best way to accomplish what he has in mind is to statically map certain MAC addresses to certain IPs in the DHCP server and create rules based on these IPs. Should you not have a lot of control over the DHCP servers then I would suggest running a different OS with layer2 firewalling capabilities.

    ------------------------------------------------------------------------

    *From:* owner-ipfil...@coombs.anu.edu.au
    <mailto:owner-ipfil...@coombs.anu.edu.au>
    [mailto:owner-ipfil...@coombs.anu.edu.au
    <mailto:owner-ipfil...@coombs.anu.edu.au>] *On Behalf Of *Gabriele
    Bulfon
    *Sent:* Wednesday, July 21, 2010 12:14 AM
    *To:* ross.came...@linuxpro.co.za <mailto:ross.came...@linuxpro.co.za>
    *Cc:* Jim Sandoz; ipfilter@coombs.anu.edu.au
    <mailto:ipfilter@coombs.anu.edu.au>
    *Subject:* Re: RE : mac-address...

    Thx :) sure I do know this is an option, but I'm not administering
    dhcp everywhere, so
    sometimes I have dhcp admins who don't want to implement static
    dhcp mapping, and I
    must find a way to NAT specific machines when I can't rely on ip.
    Why can't ipfilter let me check for mac-address? Where is the issue?

    <http://www.sonicle.com>

    Gabriele Bulfon - Sonicle S.r.l.
    Tel +39 028246016 Int. 30 - Fax +39 028243880
    Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
    http://www.sonicle.com

    -= Mail sent through WebTop2 =-

    ------------------------------------------------------------------------



    *Da:* Ross Cameron <ross.came...@linuxpro.co.za
    <mailto:ross.came...@linuxpro.co.za>>
    *A:* Gabriele Bulfon <gbul...@sonicle.com
    <mailto:gbul...@sonicle.com>>
    *Cc:* Jim Sandoz <san...@lucent.com <mailto:san...@lucent.com>>
    ipfilter@coombs.anu.edu.au <mailto:ipfilter@coombs.anu.edu.au>
    *Data:* 20 luglio 2010 16.35.47 CEST
    *Oggetto:* Re: RE : mac-address...

    Never heard of static DHCP mappings?




    "Opportunity is most often missed by people because it is dressed
    in overalls and looks like work."
    Thomas Alva Edison
    Inventor of 1093 patents, including:
    The light bulb, phonogram and motion pictures.


    On Tue, Jul 20, 2010 at 3:43 PM, Gabriele Bulfon
    <gbul...@sonicle.com <mailto:gbul...@sonicle.com>> wrote:

    This seem an old topic...is there any news about mac-address
    filtering?
    How could I manage dhcp-hosts nat another way?

    I mean: all a company is dhcp, I don't want to do dns lookups, but
    I want some PCs
    to have NAT regardless of their IP.
    What can I do?

    Gabriele.

    <http://www.sonicle.com>

    Gabriele Bulfon - Sonicle S.r.l.
    Tel +39 028246016 Int. 30 - Fax +39 028243880
    Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
    http://www.sonicle.com

    -= Mail sent through WebTop2 =-




    
----------------------------------------------------------------------------------

    Da: Jim Sandoz <san...@lucent.com <mailto:san...@lucent.com>>
    A: ipfilter@coombs.anu.edu.au <mailto:ipfilter@coombs.anu.edu.au>
    Data: 9 febbraio 2006 21.40.59 CET
    Oggetto: Re: RE : mac-address...


    ipfilter DOES NOT filter on mac address.

    jim


    Koen Martens wrote:
    > I'm pretty sure ipfilter doesn't do mac filtering..
    >
    > Koen
    >
    > Cordonnier Christophe wrote:
    >
    >>Are you sure ?
    >>
    >>-----Message d'origine-----
    >>De : Olivier Nicole [mailto:o...@cs.ait.ac.th
    <mailto:o...@cs.ait.ac.th>]
    >>Envoyé : mercredi 8 février 2006 10:36
    >>À : Cordonnier Christophe
    >>Cc : ipfilter@coombs.anu.edu.au <mailto:ipfilter@coombs.anu.edu.au>
    >>Objet : Re: mac-address...
    >>
    >>
    >>>Ipf he can filter on mac-adress ?
    >>
    >>
    >>I'd say it can't.
    >>
    >>Olivier

--


+============================================================+
|                                                            |
| Климов Евгений,                                 Jim Klimov |
| технический директор                                   CTO |
| ЗАО "ЦОС и ВТ"                                  JSC COS&HT |
|                                                            |
| +7-903-7705859 (cellular)          mailto:jimkli...@cos.ru |
|                          CC:ad...@cos.ru,jimkli...@mail.ru |
+============================================================+
| ()  ascii ribbon campaign - against html mail              |
| /\                        - against microsoft attachments  |
+============================================================+