Shorewall users - Apr 2005 - MAC Validation and related problem that is killing me...

Hi there...

I want to use MAC validation for strict computer access rules to our
server and LAN. I do not want any computer have ANY kind of access
(neither LAN or Internet access, not even get an IP from the dhcp server,
or being able to connect to anything manually configuring the IP settings)
unless its MAC is on the list. Our server has two interfaces (eth0 & eth1)
and 2 zones (net and local). On the local net we have several wifi access
points distributed along the facilities. All computers (wired and wifi)
get their IP from the fw''s dhcp services.

I use shorewall 2.2

maclist looks like this:

eth1   00:11:22:33:44:55  #comment
eth1   00:11:22:33:44:66  #comment2

interfaces has:

eth0   detect             dhcp
eth1   192.168.136.255    maclist,dhcp

related variables in shorewall.conf are set.

now, let''s say a MAC address is NOT in the list. That computer still
gets
an IP from the dhcp server. That computer cannot access the fw, but, yes,
it can ping access other computers in the same subnet as if it was in the
list.

Maybe I''m missing something and MAC validation is not for this... Any
help???

TIA,

Ignacio

Ignacio Garcia wrote:
> 
> Maybe I''m missing something and MAC validation is not for this...
Any help???
You are missing the fact that parts of DHCP bypass Netfilter and that
there is nothing you can do in Shorewall to solve this problem. You will
have to configure your DHCP server to make it reject unknown MAC addresses.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep dijo:
> You are missing the fact that parts of DHCP bypass Netfilter and that
> there is nothing you can do in Shorewall to solve this problem. You will
> have to configure your DHCP server to make it reject unknown MAC
> addresses.
>
> -Tom
still, what if a "smart" user configures its computer with manual IP
settings... then he bypasses the dhcp server and can see other computers
in the LAN. Is there a way to prevent that with shorewall?

Thanks,

Ignacio

Ignacio Garcia wrote:
> Tom Eastep dijo:
> 
>>You are missing the fact that parts of DHCP bypass Netfilter and that
>>there is nothing you can do in Shorewall to solve this problem. You will
>>have to configure your DHCP server to make it reject unknown MAC
>>addresses.
>>
>>-Tom
> 
> still, what if a "smart" user configures its computer with manual
IP
> settings... then he bypasses the dhcp server and can see other computers
> in the LAN. Is there a way to prevent that with shorewall?
I know of no way to stop that no matter what firewall you run.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> > still, what if a "smart" user configures its computer with
manual IP
> > settings... then he bypasses the dhcp server and can see other
computers
> > in the LAN. Is there a way to prevent that with shorewall?
A smart user could also spoof the MAC address of a device which is
allowed network access and defeat your authentication scheme that way.
 MAC address filtering is not a reliable method for securing a
network, especially a wifi network.

> I know of no way to stop that no matter what firewall you run.
Ok. Thanks a lot, Tom!

Ignacio

Gary Buckmaster wrote:
>>>still, what if a "smart" user configures its computer with
manual IP
>>>settings... then he bypasses the dhcp server and can see other
computers
>>>in the LAN. Is there a way to prevent that with shorewall?
> 
> A smart user could also spoof the MAC address of a device which is
> allowed network access and defeat your authentication scheme that way.
>  MAC address filtering is not a reliable method for securing a
> network, especially a wifi network.
Ditto. My Wifi network (see http://shorwall.net/myfiles.htm) is isolated
from my local systems and I require either IPSEC or OpenVPN for access
from that network (in addition to MAC validation).

If I walk around my house with a laptop, I can connect to _three_ other
wifi networks besides mine! All three allow me access to the internet
(why pay for a backup internet connection :-)). Being a good neighbor, I
haven''t tried to access the other systems connected to those networks

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Gary Buckmaster wrote:
>>>>still, what if a "smart" user configures its computer
with manual IP
>>>>settings... then he bypasses the dhcp server and can see other
computers
>>>>in the LAN. Is there a way to prevent that with shorewall?
>>A smart user could also spoof the MAC address of a device which is
>>allowed network access and defeat your authentication scheme that way.
>> MAC address filtering is not a reliable method for securing a
>>network, especially a wifi network.
> 
> Ditto. My Wifi network (see http://shorwall.net/myfiles.htm) is isolated
Make that http://shorewall.net/myfiles.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> Ditto. My Wifi network (see http://shorwall.net/myfiles.htm) is isolated
> from my local systems and I require either IPSEC or OpenVPN for access
> from that network (in addition to MAC validation).
Exactly!  For my wifi segment, it lives in its own little DMZ, and yes
my AP is set to not broadcast its SSID, and yes I use MAC filtering
and 128bit WEP with dynamic keying, but no I don''t trust any of these
features to do anything more than slow the progress of a determined
attacker.  My laptops must authenticate against my OpenVPN server in
order to have any other access at all, either outbound to the Internet
or to my internal network.

Gary Buckmaster wrote:
>>Ditto. My Wifi network (see http://shorwall.net/myfiles.htm) is isolated
>>from my local systems and I require either IPSEC or OpenVPN for access
>>from that network (in addition to MAC validation).
> 
> Exactly!  For my wifi segment, it lives in its own little DMZ, and yes
> my AP is set to not broadcast its SSID, and yes I use MAC filtering
> and 128bit WEP with dynamic keying, but no I don''t trust any of
these
> features to do anything more than slow the progress of a determined
> attacker.  My laptops must authenticate against my OpenVPN server in
> order to have any other access at all, either outbound to the Internet
> or to my internal network.
Additionally, my laptops that connect run software firewalls (Shorewall
on my Linux-based laptop and Sygate on my Windows XP box). So if a
determined attacker gets by the WEP, there is still a firewall to get
around.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key