On Fri, Nov 7, 2008 at 11:33 AM, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:
> On Fri, Nov 07, 2008 at 01:22:08PM +0100, Peter N. M. Hansteen wrote:
>
>> Unless we make some other unique identifier part of the way PF
>> evaluates rules (the MAC address comes to mind, but that too can be
>> changed in any modern operating system), there is no quick fix, other
>> than rewriting your rule set so it avoids 'on' criteria and other
>> hardware specifics wherever possible.
>
I don't see the ability to change a MAC address as a problem. Someone would
need to get root access inside the router to make this change. So, since
the bad guy is already root, there's not many things to be done to protect
the machine...
> Free advice without a patch is, of course, worth the price, but:
>
I'll take this words as mine as I discuss this matter in this message.
> If there was a way of recording the MAC address assigned to each
> interface by the kernel, then on a subsequent reboot could the kernel
> read that file to ensure that previously seen interfaces were assigend
> the same number?
>
> On Linux (Debian), interfaces are all ethx no matter what vendor. The
> udev system is supposed to record coresponding MAC in a persistant rules
> file to prevent this problem. Of course, this doesn't seem to work on
> some boxes for drives, so that, for example, a boot fails if a USB stick
> is plugged in because it may be assigned the /dev/sdx that is supposed
> to be the root drive. This prompts hacks of mounting with LABEL or
> UUID.
>
In linux, there's a utility called ifrename. I had to use it in a massive linux
installation once. The guys performing customer support were dumb enough
to not learn the ethX addressing. I've used ifrename to change the names
such as "eth0", "eth1" and "eth2" to "wan", "lan" and "dmz".
I really would like to have this kind of support on OpenBSD, but the NIC
naming schemas of Linux and *BSD have huge differences.
> Perhaps pf could be configured with MAC addres instead of interface id.
>
> Sure the MAC address could be changed by the sysadmin, but does it get
> changed at random by the OS?
>
One idea I had a couple years ago envolves changing the way the interface
drivers are "loaded" in the kernel. Now, the schema is "static". Probably
translating it to a "dynamic" one could have some gains. My idea was to
provide a mapping (or alias) to a network card based on its MAC address,
just like ifrename on linux. One could use a file in /etc/ (say,
/etc/ifrename.conf)
to configure the system as follows:
=============================================================
# this is a comment
alias_name=nic # <some base string. current network drivers like
"rtl", "wi" would
# be forbidden
wi0=0 # numeric field, unique for each interface
le0=1
00:40:a7:0b:13:70=2
=============================================================
The configuration above would make your wi1 interface available as "nic0", your
le0 interface would be named "nic1" and the interface that holds the mac address
00:40:a7:0b:13:70 would be visible as "nic2"
So, the following commands should be considered "equal".
ifconfig le0
ifconfig nic1
The feature described above would have huge collateral effects to lots
of things
and I can't say a patch would pass to mainstream.
I also never did any research beyond this superficial layer.
> Just some early-morning thoughts, for what their worth.
>
> Doug.
