Using MAC address in Firewall rules

Forums Network Management ZeroShell Using MAC address in Firewall rules

  • This topic is empty.
Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • February 18, 2009 at 10:24 pm #41484
    LingaringBell
    Member

    I’m trying to use MAC addresses to restrict computers from accessing the internet. I create a rule in the Forward chain that applies to both routed and bridged packets. I set up a pretty generic rule that looks like:

    target prot opt in out source destination
    DROP all — * * 0.0.0.0/0 0.0.0.0/0 MAC 00:18:F3:01:7A:D5

    I try to pass through the firewall with my test computer that has this MAC address and it passes fine, instead of getting dropped like it should. My only idea is that I have to be using DHCP services on the Zeroshell box for this to work, but that seems kind of silly. Any ideas? Thanks.
    -Bell

    February 19, 2009 at 8:22 am #47639
    ppalias
    Member

    Try to use this and see if it works:

    iptables -A FORWARD -m mac --mac-source 00:18:F3:01:7A:D5  -j DROP
    February 19, 2009 at 2:05 pm #47640
    ppalias
    Member

    I tried it now both directly with IP tables and Web interface (don’t forget to save) and it worked fine. Version 1.0 beta 11

    February 19, 2009 at 7:38 pm #47641
    LingaringBell
    Member

    I just tried it using both methods and neither of them worked. I am running Version 1.0 beta 11. If I look under “Connection Tracking” in the Firewall menu, I do not see any MAC addresses listed. Would there be some reason that Zeroshell is not checking the MAC address of the connections being made?

    February 19, 2009 at 8:49 pm #47642
    imported_fulvio
    Participant

    Connection tracking works at layer 4. You cannot find MAC addresses because they are layer 2 addresses.
    Could you post a network diagram of your lan? is your client connected to Zeroshell on the same layer 2?

    Regards
    Fulvio

    February 19, 2009 at 10:09 pm #47643
    LingaringBell
    Member

    I’m not exactly sure what you are asking when you say “the same layer 2”. My lan is pretty simple. The machine that I’m testing the MAC address rules with is connected like this:

    — Computer connected to a layer 2 switch.

    –That layer 2 switch is connected to a layer 3 core switch.

    –An Untangle Firewall box (it has two network interfaces set up in a bridged state) one interface is connected to the layer 3 switch, and the other is connected to the Zeroshell box.

    –The Zeroshell box has two is doing routing between it’s two network interfaces, one of which is connected to the Untangle Firewall, the other to the internet router.

    February 19, 2009 at 10:32 pm #47644
    imported_fulvio
    Participant

    At this point I have to say that the only place where you could apply a MAC address filter is the layer 3 router connected to the switch. Zeroshell is not able to see the MAC address of the client because the first router breaks the layer 2 where it is connected.

    Regards
    Fulvio

    February 20, 2009 at 12:03 am #47645
    LingaringBell
    Member

    Thanks Fulvio for some reason I didn’t even think of that. I was looking at it so hard I forgot the obvious. Thanks everyone.

    February 17, 2010 at 5:36 am #47646
    Anonymous
    Member

    DELETED

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.