RE: PF MAC Filter
As I understand 'The PF + Bridge Caution' - it is a risk of tanglefoot - as packets are going in and out of at least two interfaces, giving four PF filtering scenarios, it is easy to get it wrong or not get a small bit of it just right - especially if you are keeping states. The rule of thumb is to do your keep state on one interface, in one direction, and pass on the others. or find a quiet place and think alot. =) oh and randomized sequence numbers should only be done once if you can. but if your in need of the MAC level, well... that happens at the bridgename.if level and without all the fancy macro stuff that PF has - yuck. -discover -learn static - see brconfig too once you get it figured - think about posting to the Wiki -Original Message- From: Sancho2k.net Lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 7:19 PM To: Laurent Cheylus Cc: [EMAIL PROTECTED] Subject: Re: PF MAC Filter Laurent Cheylus wrote: > Shawn Mitchell <[EMAIL PROTECTED]> wrote : > > >>Is it possable to specify a MAC Address filter? > > > Yes, with transparent firewalling (bridge mode) : see FAQ 6.10 > http://www.openbsd.org/faq/faq6.html#Bridge > > Do you block some nasty attacks with ARP : ARP spoofing with tools like Hunt or > Arp-sk ? > > Be carefull with bridge mode : a good configuration is difficult and may be a > source of problems. > > Foxy. > Do you (or anyone else) mind commenting on what those problems might be? I'm running a bridging firewall here at home and am curious what to look/watch for. TIA, Darren Spruell
Re: PF MAC Filter
Laurent Cheylus wrote: Shawn Mitchell <[EMAIL PROTECTED]> wrote : Is it possable to specify a MAC Address filter? Yes, with transparent firewalling (bridge mode) : see FAQ 6.10 http://www.openbsd.org/faq/faq6.html#Bridge Do you block some nasty attacks with ARP : ARP spoofing with tools like Hunt or Arp-sk ? Be carefull with bridge mode : a good configuration is difficult and may be a source of problems. Foxy. Do you (or anyone else) mind commenting on what those problems might be? I'm running a bridging firewall here at home and am curious what to look/watch for. TIA, Darren Spruell
RE: PF MAC Filter
I went looking there.. but I just found old archives.. and a bunch of "well linux has it" arguments. I personaly don't care who has what, I just care about who's works the best for what I need it to do. That's why I converted some of my firewalls from Linux's iptables, to OpenBSD and pf... I like it more... thx for the info though! -Shawn -Original Message- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 6:21 PM To: Shawn Mitchell Cc: Stefan Sonnenberg-Carstens; [EMAIL PROTECTED] Subject: Re: PF MAC Filter On Wed, Feb 26, 2003 at 06:13:38PM -0600, Shawn Mitchell wrote: > Just a little pre-filtering to stop the ignorant people, and the wanna-be > hackers. For MAC level filtering, you'll need a bridge. See brconfig(8) about how to filter on MAC addresses. pf will still work on a bridge, and you can do the IP level filtering with pf on the same box. pf itself does not (and will not) filter on MAC addresses, as has been discussed in-depth many times before. If you're interested in the old discussions, the mailing list archives will help you. Daniel
Re: PF MAC Filter
Shawn Mitchell <[EMAIL PROTECTED]> wrote : > Is it possable to specify a MAC Address filter? Yes, with transparent firewalling (bridge mode) : see FAQ 6.10 http://www.openbsd.org/faq/faq6.html#Bridge Do you block some nasty attacks with ARP : ARP spoofing with tools like Hunt or Arp-sk ? Be carefull with bridge mode : a good configuration is difficult and may be a source of problems. Foxy. -- Laurent Cheylus <[EMAIL PROTECTED]> OpenPGP ID 0x5B766EC2
Re: PF MAC Filter
On Wed, Feb 26, 2003 at 06:13:38PM -0600, Shawn Mitchell wrote: > Just a little pre-filtering to stop the ignorant people, and the wanna-be > hackers. For MAC level filtering, you'll need a bridge. See brconfig(8) about how to filter on MAC addresses. pf will still work on a bridge, and you can do the IP level filtering with pf on the same box. pf itself does not (and will not) filter on MAC addresses, as has been discussed in-depth many times before. If you're interested in the old discussions, the mailing list archives will help you. Daniel
RE: PF MAC Filter
Yeah.. and my openbsd box is the router. I have 2 qfe cards in it. I'm just wanting a way to where I can ensure (dosn't have to be 100% mind you) that only some people can get through the box. The DHCP server only gives out static IP Addresses, according to the MAC Address. I don't want to spend a bunch of time making it 100% secure, but I'm wanting to accomplish two main things. Control access a little, and make sure that someone dosn't give their machine a static IP Address and do network traffic through the router. Just a little pre-filtering to stop the ignorant people, and the wanna-be hackers. -Shawn -Original Message- From: Stefan Sonnenberg-Carstens [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 9:12 AM To: Shawn Mitchell; [EMAIL PROTECTED] Subject: Re: PF MAC Filter No, it is not possible. And you should remember that a setup like that can cut you off by mistake; everyone who had to deal with a Fw-1 and the f***ng arp-cache should know ... And another thing : In Ethernet terms, you can only see MAC's on your ethernet segment (eg a router,switch) etc, so if you a have a router in front of your pf firewall, MAC filterering can only make sure, that this is the router your are dealing with. As far as I remember, you will never see the MAC's of hosts BEFORE the router. So to mee it seems only like some anti-spoofing techniq with limited ability; Are you sure you want that ? Perhaps you should specify your intention a bit clearer. - Original Message - From: "Shawn Mitchell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 26, 2003 10:26 AM Subject: PF MAC Filter > > Is it possable to specify a MAC Address filter? > > And just to go ahead and cut off the trolls on MAC Filtering... I know you > can change your MAC address. I don't care that you can. I'm wanting to > place a few filters that will stop 98% of the people out there, and put > something in place to where I can force an IP Address to be used only by a > specified network interface. > > >
Re: PF MAC Filter
On Wed, Feb 26, 2003 at 03:26:28AM -0600, Shawn Mitchell wrote: > > Is it possable to specify a MAC Address filter? > > And just to go ahead and cut off the trolls on MAC Filtering... I know you > can change your MAC address. I don't care that you can. I'm wanting to > place a few filters that will stop 98% of the people out there, and put > something in place to where I can force an IP Address to be used only by a > specified network interface. Hi, Different network layer than PF, it won't work. However: man brconfig ==ml -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.BlackHelicopters.org/~mwlucas/ Absolute BSD: http://www.AbsoluteBSD.com/
Re: PF MAC Filter
No, it is not possible. And you should remember that a setup like that can cut you off by mistake; everyone who had to deal with a Fw-1 and the f***ng arp-cache should know ... And another thing : In Ethernet terms, you can only see MAC's on your ethernet segment (eg a router,switch) etc, so if you a have a router in front of your pf firewall, MAC filterering can only make sure, that this is the router your are dealing with. As far as I remember, you will never see the MAC's of hosts BEFORE the router. So to mee it seems only like some anti-spoofing techniq with limited ability; Are you sure you want that ? Perhaps you should specify your intention a bit clearer. - Original Message - From: "Shawn Mitchell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 26, 2003 10:26 AM Subject: PF MAC Filter > > Is it possable to specify a MAC Address filter? > > And just to go ahead and cut off the trolls on MAC Filtering... I know you > can change your MAC address. I don't care that you can. I'm wanting to > place a few filters that will stop 98% of the people out there, and put > something in place to where I can force an IP Address to be used only by a > specified network interface. > > >
PF MAC Filter
Is it possable to specify a MAC Address filter? And just to go ahead and cut off the trolls on MAC Filtering... I know you can change your MAC address. I don't care that you can. I'm wanting to place a few filters that will stop 98% of the people out there, and put something in place to where I can force an IP Address to be used only by a specified network interface.