Shorewall users - May 2012 - DHCP/MAC/IP filtering

Hello everybody,

Is there a tool that can, for a new connection, verify that the RFC1918 IP
match what was assigned by DHCP? (firewall gateway with DHCP for inside
clients, to a few ISP''s on the outside)
The obvious effect would be to block traffic for self-assigned IP addresses.

My flailing around on google has yielded nothing helpful.  I''m not the
best
at guessing good search terms, so please feel free to throw those at me.

Thank you,
Lee Brown


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 05/23/2012 08:06 AM, Lee Brown wrote:
> Hello everybody,
>
> Is there a tool that can, for a new connection, verify that the RFC1918
> IP match what was assigned by DHCP? (firewall gateway with DHCP for
> inside clients, to a few ISP''s on the outside)
> The obvious effect would be to block traffic for self-assigned IP
addresses.
>
> My flailing around on google has yielded nothing helpful.  I''m not
the
> best at guessing good search terms, so please feel free to throw those
> at me.
http://www.shorewall.net/MAC_Validation.html

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Wed, May 23, 2012 at 10:39 AM, Tom Eastep <teastep@shorewall.net>
wrote:
> On 05/23/2012 08:06 AM, Lee Brown wrote:
> > Hello everybody,
> >
> > Is there a tool that can, for a new connection, verify that the
RFC1918
> > IP match what was assigned by DHCP? (firewall gateway with DHCP for
> > inside clients, to a few ISP''s on the outside)
> > The obvious effect would be to block traffic for self-assigned IP
> addresses.
> >
> > My flailing around on google has yielded nothing helpful. 
I''m not the
> > best at guessing good search terms, so please feel free to throw those
> > at me.
>
> http://www.shorewall.net/MAC_Validation.html

I''m sorry Tom, but I don''t understand how the leases assigned
from the DHCP
server automatically add MAC''s it has given an address out to, nor
remove
MAC''s for expired leases.
If I understand the example correctly, that is essentially accepting
traffic from a fixed list, maclist is a static filter, correct?

Maybe an example would help clarify:

My firewall/gateway/DHCP server is at 10.10.10.1

Guest1 plugs in their laptop and the DHCP server assigns say 10.10.10.10 to
00:01:02:03:04:05 for 1 hour
Guest2 plugs in their laptop and self-assigns themselves 10.10.10.11 as
00:11:22:33:44:55

firewall should forward traffic from 10.10.10.10/00:01:02:03:04:05
firewall should block traffic from 10.10.10.11/mac not really relevant

Guest1 unplugs their laptop and walks away.  A little under an hour later
firewall blocks traffic from 10.10.10.10

>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Lee Brown wrote:
>I''m sorry Tom, but I don''t understand how the leases
assigned from
>the DHCP server automatically add MAC''s it has given an address out
>to, nor remove MAC''s for expired leases.
>If I understand the example correctly, that is essentially accepting 
>traffic from a fixed list, maclist is a static filter, correct?
Correct.
What you are asking for isn''t available natively in Shorewall - you 
would need some external glue to handle that.

The ISC DHCP server has hooks so you can call external scripts for 
various events - though you''d need to add a buffering layer as 
interacting directly with Shorewall (especially if it involves a 
restart to load a modified config) may be too slow for anything but a 
very lightly loaded DHCP server.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Wed, May 23, 2012 at 12:28 PM, Simon Hobson
<linux@thehobsons.co.uk>wrote:
> Lee Brown wrote:
>
> >I''m sorry Tom, but I don''t understand how the leases
assigned from
> >the DHCP server automatically add MAC''s it has given an
address out
> >to, nor remove MAC''s for expired leases.
> >If I understand the example correctly, that is essentially accepting
> >traffic from a fixed list, maclist is a static filter, correct?
>
> Correct.
> What you are asking for isn''t available natively in Shorewall -
you
> would need some external glue to handle that.
>
Which is why I asked if there was a tool available...:)

>
> The ISC DHCP server has hooks so you can call external scripts for
> various events - though you''d need to add a buffering layer as
> interacting directly with Shorewall (especially if it involves a
> restart to load a modified config) may be too slow for anything but a
> very lightly loaded DHCP server.
>
Oh, I hadn''t realized that, thank you.  Shorewall is only used to
configure
iptables, I modify chains directly after that as my shorewall restart cycle
is rather slow (rules/zones need serious cleaning up.)
Once I identify the chain that implements the maclist, I can add/remove
rules from that to implement what I need.

Thanks Tom, Thanks Simon.  This gives me the direction I need.

Regards -- Lee


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 23/05/2012 20:50, Lee Brown wrote:
> Oh, I hadn''t realized that, thank you.  Shorewall is only used to 
> configure iptables, I modify chains directly after that as my 
> shorewall restart cycle is rather slow (rules/zones need serious 
> cleaning up.)
> Once I identify the chain that implements the maclist, I can 
> add/remove rules from that to implement what I need.
>
Implement your blacklist using a rule and an ipset.  Then you can just 
externally adjust the ipset pretty much instantly.  Note dnsmasq also 
has the option to run a script on allocation of a new lease - 
additionally it''s lease file is easily accessible

Good luck

Ed W

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Sat, May 26, 2012 at 4:11 AM, Ed W <lists@wildgooses.com> wrote:
> On 23/05/2012 20:50, Lee Brown wrote:
> > Oh, I hadn''t realized that, thank you.  Shorewall is only
used to
> > configure iptables, I modify chains directly after that as my
> > shorewall restart cycle is rather slow (rules/zones need serious
> > cleaning up.)
> > Once I identify the chain that implements the maclist, I can
> > add/remove rules from that to implement what I need.
> >
>
> Implement your blacklist using a rule and an ipset.  Then you can just
> externally adjust the ipset pretty much instantly.  Note dnsmasq also
> has the option to run a script on allocation of a new lease -
> additionally it''s lease file is easily accessible
>
OK, I''ve not used ipset''s (yet...) so this is good to know. 
Manipulating
iptables can be cumbersome.
ISC DHCP is our standard here (although I do have one admin running dnsmasq
on his local net)

>
> Good luck
>
Thanks :)
>
> Ed W
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/