› Forums › Network Management › ZeroShell › Using MAC address in Firewall rules
- This topic is empty.
-
AuthorPosts
-
February 18, 2009 at 10:24 pm #41484
LingaringBell
MemberI’m trying to use MAC addresses to restrict computers from accessing the internet. I create a rule in the Forward chain that applies to both routed and bridged packets. I set up a pretty generic rule that looks like:
target prot opt in out source destination
DROP all — * * 0.0.0.0/0 0.0.0.0/0 MAC 00:18:F3:01:7A:D5I try to pass through the firewall with my test computer that has this MAC address and it passes fine, instead of getting dropped like it should. My only idea is that I have to be using DHCP services on the Zeroshell box for this to work, but that seems kind of silly. Any ideas? Thanks.
-BellFebruary 19, 2009 at 8:22 am #47639ppalias
MemberTry to use this and see if it works:
iptables -A FORWARD -m mac --mac-source 00:18:F3:01:7A:D5 -j DROP
February 19, 2009 at 2:05 pm #47640ppalias
MemberI tried it now both directly with IP tables and Web interface (don’t forget to save) and it worked fine. Version 1.0 beta 11
February 19, 2009 at 7:38 pm #47641LingaringBell
MemberI just tried it using both methods and neither of them worked. I am running Version 1.0 beta 11. If I look under “Connection Tracking” in the Firewall menu, I do not see any MAC addresses listed. Would there be some reason that Zeroshell is not checking the MAC address of the connections being made?
February 19, 2009 at 8:49 pm #47642imported_fulvio
ParticipantConnection tracking works at layer 4. You cannot find MAC addresses because they are layer 2 addresses.
Could you post a network diagram of your lan? is your client connected to Zeroshell on the same layer 2?Regards
FulvioFebruary 19, 2009 at 10:09 pm #47643LingaringBell
MemberI’m not exactly sure what you are asking when you say “the same layer 2”. My lan is pretty simple. The machine that I’m testing the MAC address rules with is connected like this:
— Computer connected to a layer 2 switch.
–That layer 2 switch is connected to a layer 3 core switch.
–An Untangle Firewall box (it has two network interfaces set up in a bridged state) one interface is connected to the layer 3 switch, and the other is connected to the Zeroshell box.
–The Zeroshell box has two is doing routing between it’s two network interfaces, one of which is connected to the Untangle Firewall, the other to the internet router.
February 19, 2009 at 10:32 pm #47644imported_fulvio
ParticipantAt this point I have to say that the only place where you could apply a MAC address filter is the layer 3 router connected to the switch. Zeroshell is not able to see the MAC address of the client because the first router breaks the layer 2 where it is connected.
Regards
FulvioFebruary 20, 2009 at 12:03 am #47645LingaringBell
MemberThanks Fulvio for some reason I didn’t even think of that. I was looking at it so hard I forgot the obvious. Thanks everyone.
February 17, 2010 at 5:36 am #47646Anonymous
MemberDELETED
-
AuthorPosts
- You must be logged in to reply to this topic.