Hello everybody, Is there a tool that can, for a new connection, verify that the RFC1918 IP match what was assigned by DHCP? (firewall gateway with DHCP for inside clients, to a few ISP''s on the outside) The obvious effect would be to block traffic for self-assigned IP addresses. My flailing around on google has yielded nothing helpful. I''m not the best at guessing good search terms, so please feel free to throw those at me. Thank you, Lee Brown ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/23/2012 08:06 AM, Lee Brown wrote:> Hello everybody, > > Is there a tool that can, for a new connection, verify that the RFC1918 > IP match what was assigned by DHCP? (firewall gateway with DHCP for > inside clients, to a few ISP''s on the outside) > The obvious effect would be to block traffic for self-assigned IP addresses. > > My flailing around on google has yielded nothing helpful. I''m not the > best at guessing good search terms, so please feel free to throw those > at me.http://www.shorewall.net/MAC_Validation.html -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Wed, May 23, 2012 at 10:39 AM, Tom Eastep <teastep@shorewall.net> wrote:> On 05/23/2012 08:06 AM, Lee Brown wrote: > > Hello everybody, > > > > Is there a tool that can, for a new connection, verify that the RFC1918 > > IP match what was assigned by DHCP? (firewall gateway with DHCP for > > inside clients, to a few ISP''s on the outside) > > The obvious effect would be to block traffic for self-assigned IP > addresses. > > > > My flailing around on google has yielded nothing helpful. I''m not the > > best at guessing good search terms, so please feel free to throw those > > at me. > > http://www.shorewall.net/MAC_Validation.htmlI''m sorry Tom, but I don''t understand how the leases assigned from the DHCP server automatically add MAC''s it has given an address out to, nor remove MAC''s for expired leases. If I understand the example correctly, that is essentially accepting traffic from a fixed list, maclist is a static filter, correct? Maybe an example would help clarify: My firewall/gateway/DHCP server is at 10.10.10.1 Guest1 plugs in their laptop and the DHCP server assigns say 10.10.10.10 to 00:01:02:03:04:05 for 1 hour Guest2 plugs in their laptop and self-assigns themselves 10.10.10.11 as 00:11:22:33:44:55 firewall should forward traffic from 10.10.10.10/00:01:02:03:04:05 firewall should block traffic from 10.10.10.11/mac not really relevant Guest1 unplugs their laptop and walks away. A little under an hour later firewall blocks traffic from 10.10.10.10> > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Lee Brown wrote:>I''m sorry Tom, but I don''t understand how the leases assigned from >the DHCP server automatically add MAC''s it has given an address out >to, nor remove MAC''s for expired leases. >If I understand the example correctly, that is essentially accepting >traffic from a fixed list, maclist is a static filter, correct?Correct. What you are asking for isn''t available natively in Shorewall - you would need some external glue to handle that. The ISC DHCP server has hooks so you can call external scripts for various events - though you''d need to add a buffering layer as interacting directly with Shorewall (especially if it involves a restart to load a modified config) may be too slow for anything but a very lightly loaded DHCP server. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Wed, May 23, 2012 at 12:28 PM, Simon Hobson <linux@thehobsons.co.uk>wrote:> Lee Brown wrote: > > >I''m sorry Tom, but I don''t understand how the leases assigned from > >the DHCP server automatically add MAC''s it has given an address out > >to, nor remove MAC''s for expired leases. > >If I understand the example correctly, that is essentially accepting > >traffic from a fixed list, maclist is a static filter, correct? > > Correct. > What you are asking for isn''t available natively in Shorewall - you > would need some external glue to handle that. >Which is why I asked if there was a tool available...:)> > The ISC DHCP server has hooks so you can call external scripts for > various events - though you''d need to add a buffering layer as > interacting directly with Shorewall (especially if it involves a > restart to load a modified config) may be too slow for anything but a > very lightly loaded DHCP server. >Oh, I hadn''t realized that, thank you. Shorewall is only used to configure iptables, I modify chains directly after that as my shorewall restart cycle is rather slow (rules/zones need serious cleaning up.) Once I identify the chain that implements the maclist, I can add/remove rules from that to implement what I need. Thanks Tom, Thanks Simon. This gives me the direction I need. Regards -- Lee ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 23/05/2012 20:50, Lee Brown wrote:> Oh, I hadn''t realized that, thank you. Shorewall is only used to > configure iptables, I modify chains directly after that as my > shorewall restart cycle is rather slow (rules/zones need serious > cleaning up.) > Once I identify the chain that implements the maclist, I can > add/remove rules from that to implement what I need. >Implement your blacklist using a rule and an ipset. Then you can just externally adjust the ipset pretty much instantly. Note dnsmasq also has the option to run a script on allocation of a new lease - additionally it''s lease file is easily accessible Good luck Ed W ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Sat, May 26, 2012 at 4:11 AM, Ed W <lists@wildgooses.com> wrote:> On 23/05/2012 20:50, Lee Brown wrote: > > Oh, I hadn''t realized that, thank you. Shorewall is only used to > > configure iptables, I modify chains directly after that as my > > shorewall restart cycle is rather slow (rules/zones need serious > > cleaning up.) > > Once I identify the chain that implements the maclist, I can > > add/remove rules from that to implement what I need. > > > > Implement your blacklist using a rule and an ipset. Then you can just > externally adjust the ipset pretty much instantly. Note dnsmasq also > has the option to run a script on allocation of a new lease - > additionally it''s lease file is easily accessible >OK, I''ve not used ipset''s (yet...) so this is good to know. Manipulating iptables can be cumbersome. ISC DHCP is our standard here (although I do have one admin running dnsmasq on his local net)> > Good luck >Thanks :)> > Ed W > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/