Firewalling MAC addresses

JKnott · Feb 23, 2018, 12:07 PM

"(without IP reservation that will be easy to bypass ) ?"

So you think changing a mac address is difficult? Takes .2 seconds to set a different mac address.

In fact, it's easier than changing the IP address, as you don't need to access pfSense, just the computer.

johnpoz · Feb 23, 2018, 1:54 PM

if your really worried you could always enable static arp.. Now someone trying to change and IP to get around a block would not be able to talk to pfsense from that different IP.

Kop-IT · Feb 23, 2018, 3:59 PM

@johnpoz:

"(without IP reservation that will be easy to bypass ) ?"

So you think changing a mac address is difficult? Takes .2 seconds to set a different mac address.

I'm just saying that this is more easy for a basic user (99.9% of my customers) to change his IP than change his MAC address.
But I didn't want to debate on this because each situation and each need is different.

Just wanted to know if someone finds a way to do that with pfSense.

johnpoz · Feb 23, 2018, 4:28 PM

99% of your users not going to know how to change even the IP ;) And very high percentage that do would prob know how to change the mac address as well.

If your concerned with such things going on, then use static arp to deal with it.

JKnott · Feb 23, 2018, 4:33 PM

@Florent.a:

@johnpoz:

"(without IP reservation that will be easy to bypass ) ?"

So you think changing a mac address is difficult? Takes .2 seconds to set a different mac address.

I'm just saying that this is more easy for a basic user (99.9% of my customers) to change his IP than change his MAC address.
But I didn't want to debate on this because each situation and each need is different.

Unless they work in an IT environment, I suspect most people wouldn't even know the difference between an IP and MAC address, let alone how to change them. I agree with johnpoz on this, map IP addresses to MACs in the DHCP server and use static ARP.

magrw2066 · Mar 8, 2018, 5:20 AM

Sir,
If you have these problems, have you considered os10/onie environment? (Brtables?)
I have zero experience with oboe things but this would seem wise.
Sincerely,
magrw2066

JKnott · Mar 8, 2018, 2:19 PM

if your really worried you could always enable static arp.. Now someone trying to change and IP to get around a block would not be able to talk to pfsense from that different IP.

How many get their IPv6 address via ARP? Not many. ;)

The world is moving to IPv6 and most devices will be using privacy addresses that change every day. Filtering outgoing traffic only on IPv6 address will not work. Bottom line, pfSense & pf will have to be updated to the 21st century, if it's to be able to filter outgoing traffic. As I mentioned before, people have to get out of the IPv4 mindset, as many things are different in IPv6. Also, crippling network functionality is not the solution to this problem, as others in this thread seem to think.

magrw2066 · Mar 8, 2018, 3:47 PM

Umm my response seems lost.
Try ONIE boxes(not OBIE) and/or brtables command.
Sincerely,
Magrw2066

Naraska · Dec 5, 2018, 12:52 AM

Just want to say. You guys might want to change this wikipedia page:
https://en.wikipedia.org/wiki/Comparison_of_firewalls
Since it states that pfsense has rules for blocking by mac address. It deceives people (like me) to think that pfsense can block by mac address.

JKnott · Dec 5, 2018, 2:17 AM

This is one feature that should definitely be added. IPtables has it, IIRC. With IPv6 privacy addresses changing daily, it's not possible to have an IPv6 address rule that would last longer than a day.

Liath.WW · Feb 7, 2019, 11:26 PM

I notice the last response is 2mo old, but... I am using SonicWalls with MAC addresses being used in the rules all the time - for the very reasons that the OP listed, with IPv6 being the more annoying bit for me.

Filtering by IP is about as effective as milking a boar.

Since I've used pfSense for ages and the SonicWall bits are kinda new to me I had asked an engineer how the Sonicwall does this effectively with such an anemic CPU, and was told that the rules essentially are updated when the MAC goes live on the network with whatever IP(s) the machine has. The documentation I've read for the Sonicwalls I've been managing indicate that they operate very similarly to how pfSense does, aside from not being based on pf.

Since we have to record this information anyways and validate against DHCP/ARP, I'm not sure how-come pfSense can't do this? We're running CPUs that are worlds better than the junk in even the expensive Sonicwalls, so even if there was some overhead, I think it should be possible and even feasible. However I will digress in that I am not a programmer, and there may be some code sitting in the way that makes this incredibly expensive to do.

It sure as heck would make my life much easier. I could set things to happen based on MAC and not give a crap what IP they have or if they manually set it to something else, or if they're using IPv6 which as stated before by OP and here is ineffective.

Nick Wollman · May 3, 2021, 3:26 AM

All I can say is: Go Gary!!!!! You rock! Speaking from the year 2021 here, we have to deal with random macs now, so we should been on top of this problem when Gary first suggested we should! We “should have” had the ability by now to not give IP addresses to random Mac clients, just for example. OP GARY where you at???

skogs · May 3, 2021, 4:36 AM

@nick-wollman Why in the world are we resurrecting this thread...especially if you understand that MACs are randomized/spoofed...

Nick Wollman · May 3, 2021, 2:36 PM

@skogs good morning!
Honestly, I just wanted to congratulate Gary for pushing through all of the backlash he got. Wonderful, someone who knows what he wants and pushes to get it. I can relate, people just want to keep things the way they are. Or like to shut down honest question posters in the first reply.

And now that I’m reminded, I just might have a solution that Gary is looking for, if he’s still around.

skogs · May 4, 2021, 1:19 AM

Rock on.
Deny by default works nicely. :)

sorips · Feb 21, 2022, 1:05 PM

@chris4916 said in Firewalling MAC addresses:

What would be interesting, at least to me, is to understand why you would want to implement FW rules based on MAC address. This is something I don't understand yet.

easy answer : because devices may end up being assigned multiple IP addresses, a rule against the device's MAC address is a more "fixed" allocation

easy answer : because devices may end up being assigned multiple IP addresses, a rule against the device's MAC address is a more "fixed" allocation.

Plus it's nice to have options.

I am sure others would have additional use cases

Either way, it's a valid firewall parameter with the other big players (eg: CISCO, etc), so why not pfSense ?

sorips · Feb 21, 2022, 1:04 PM

@nick-wollman
.... waiting .... what's the solution you are proposing in pfSense --- I am all ears :-)

louis2 · Mar 16, 2022, 9:19 AM

IMHO MAC based fire walling is really really needed !! I did already advocate for that a couple of times.

Two reasons for that:

given malware you do not only have to protect your network against threats from the internet, but also against threats from within your own network
ipv6, at least from the firewall standpoint IMHO it is a disaster

So where you could filter in the IPV4 world on IP-address to limit access or do the opposite allow something based on IP, that option is gone with IPV6.

And in both cases IPV4 and IPV6 the MAC-address is a better option to filter a machine than one of its perhaps many IP's addresses and address variants.

Yes I do know that:

it is possible to change the mac address
(it is even simpler to change your ip) and
that pf the firewall below pfsense regrettable does not support mac filtering
(please mail the maintainer on free bsd forums)
that it is true mac is level-2 not three 3
that you can generate an alarm if a new mac occurs on your network (there is an app for that, if you think that is useful)

All in all nothing is perfect !, but mac-filtering is given IPV6, really really of big value.

Louis

Gertjan · Mar 16, 2022, 11:48 AM

@louis2 said in Firewalling MAC addresses:

malware

If the presence of 'malware' needs MAC handling more then IP, then, I agree, you have very untrusted clients.
Use the captive portal, which is meant to be used when you have to deal with non trusted devices, and you'll be using the firewall pf and the firewall ipfw. ipfw can do level 2 and 3.

Still, I'd like to understand why the MAC, or even IP, is important when you deal with malware.
Malware could be found in the data payload, which is non accessible to you. Remember : there is no http traffic anymore. Or mail that doesn't use some TLS.
Also, you could see the destination IP, but not the destination MAC, as this would be the MAC of the next up stream router.

NogBadTheBad · Mar 16, 2022, 12:28 PM

@louis2 What's your environment / LAN type?

Are you talking guest type access here, if the devices only need to talk out their default gateway and not to other devices on the LAN then set the LAN ports to a protected port so they can only connect to the default gateway.

Run some sort of IDS/IPS on your LAN interfaces.