Firewalling MAC addresses
-
What would be interesting, at least to me, is to understand why you would want to implement FW rules based on MAC address. This is something I don't understand yet
To ensure a device cannot get out, no matter what it's IP address. Filtering on incoming MACs would be pretty much useless though, as you'll only see the MAC for the ISPs router.
-
Routers only route between Layer 3 (IP addresses).
pfSense is also a firewall and can filter on layer 4 (TCP & UDP ports etc.) as well as 3. Other firewalls have no problem filtering on MAC addresses. For example, for many years I used the firewall in openSUSE. It could filter on MACs, as can at least some models of Cisco routers. A firewall does more than just route (there are also firewalls that do not route). They examine the various characteristics of the packets, be they layer 2, 3, or 4 and make decisions based on those characteristics. As for IPv6, many devices have random number based addresses that cannot be (easily) disabled. In this case, filtering on IP address is not an option, but filtering on MAC should be.
-
After reading a few threads on firewall rules based on MAC addresses, I figure I would post my use case here on why I would want such a feature.
I have a virtual lab on one of my machines that I am creating and destroying Vms all the time. While I want a set of Vms to have access to my local physical network services such as NAS, I want silently block those VM's from autoupdating from the Inter-webs. I do use snapshots and restore liberally but I would have to fastidiously monitor for any change to the OS or other apps to be sure my
tests are not tainted.Insuring my VMs use a range of MAC addresses and firewalling them at the LAN allows me to consume internal services and watch for
DNS resolves or direct IP attempts for updates on those VMs.Thoughts ?
- Joe
-
My use case: denying IPv6 entirely to certain Android devices (post).
Currently using a separate WAP+interface to create an IPv4-only subnet. -
…so a lot of work & limited use case for the majority of the users...
I know this is a relatively old thread, but I think this comment misses the point entirely.
MAC address filtering is only of limited use case for the majority of users today, because the majority of users are still using IPv4 and MAC based filtering gives them nothing they need..
As users transition to IPv6, it will become the major use-case. Because, for practical purposes, with IPv6 a rules-based system that uses IP addresses does not work.
This means pfSense will increasingly become ineffective as a network security device and people will stop using it. I'm sure none of us want that!
Cheers,
Keith
-
Continuing the discussion on implementation challenges…
If pf does not support MAC based filtering then this, indeed, does present issues. However, I will point out that MAC based filtering, at the low-level, isn't necessarily required.
What is required, to support IPv6, is "MAC-specified" filtering. That is to say, the ability to specify the device or devices to be filtered by MAC address. This could then be dynamically translated into an equivalent IPv6 (e.g. using information from the NDP) before being pushed into pf. This would obviously require regular updates (perhaps driven from NDP updates). It would be roughly analogous to specifying hosts by URL or DNS name.
Of course, this would not be trivial, but it sounds a lot less problematic than trying to mix ipfw and pf rules.
Cheers,
Keith
-
I was quite surprised when I learned that the BSD iptables equivalent, pf, does not support L2 filtering. Until now I assumed this was possible the same way it is with iptables. However, I agree that there are some situations in which L2 filtering is helpful even though regular firewalls are supposed to work on L3. I've used MAC filters in the past with other firewalls and it worked as expected. In this thread it's the same as in others, people try to reason away the need for L2 filters on firewalls alltogether, but that does not solve the problem. People try to accomplish the same things with pfsense they have been doing with iptables for years, and that's completely legitimate.
I suggest to consider L2 MAC filtering a feature request for future releases of pfSense. To keep things easy, I would not mix L3/L2 in the firewall roules but rather suggest to implement a separate chain for MAC filters independent of the pf rules.
-
Hello,
I'm following up this thread.
Did someone find a way to block a MAC address (without IP reservation that will be easy to bypass ) ?Thanks
-
"(without IP reservation that will be easy to bypass ) ?"
So you think changing a mac address is difficult? Takes .2 seconds to set a different mac address.
-
"(without IP reservation that will be easy to bypass ) ?"
So you think changing a mac address is difficult? Takes .2 seconds to set a different mac address.
In fact, it's easier than changing the IP address, as you don't need to access pfSense, just the computer.
-
if your really worried you could always enable static arp.. Now someone trying to change and IP to get around a block would not be able to talk to pfsense from that different IP.
-
"(without IP reservation that will be easy to bypass ) ?"
So you think changing a mac address is difficult? Takes .2 seconds to set a different mac address.
I'm just saying that this is more easy for a basic user (99.9% of my customers) to change his IP than change his MAC address.
But I didn't want to debate on this because each situation and each need is different.Just wanted to know if someone finds a way to do that with pfSense.
-
99% of your users not going to know how to change even the IP ;) And very high percentage that do would prob know how to change the mac address as well.
If your concerned with such things going on, then use static arp to deal with it.
-
@Florent.a:
"(without IP reservation that will be easy to bypass ) ?"
So you think changing a mac address is difficult? Takes .2 seconds to set a different mac address.
I'm just saying that this is more easy for a basic user (99.9% of my customers) to change his IP than change his MAC address.
But I didn't want to debate on this because each situation and each need is different.Unless they work in an IT environment, I suspect most people wouldn't even know the difference between an IP and MAC address, let alone how to change them. I agree with johnpoz on this, map IP addresses to MACs in the DHCP server and use static ARP.
-
Sir,
If you have these problems, have you considered os10/onie environment? (Brtables?)
I have zero experience with oboe things but this would seem wise.
Sincerely,
magrw2066 -
if your really worried you could always enable static arp.. Now someone trying to change and IP to get around a block would not be able to talk to pfsense from that different IP.
How many get their IPv6 address via ARP? Not many. ;)
The world is moving to IPv6 and most devices will be using privacy addresses that change every day. Filtering outgoing traffic only on IPv6 address will not work. Bottom line, pfSense & pf will have to be updated to the 21st century, if it's to be able to filter outgoing traffic. As I mentioned before, people have to get out of the IPv4 mindset, as many things are different in IPv6. Also, crippling network functionality is not the solution to this problem, as others in this thread seem to think.
-
Umm my response seems lost.
Try ONIE boxes(not OBIE) and/or brtables command.
Sincerely,
Magrw2066 -
Just want to say. You guys might want to change this wikipedia page:
https://en.wikipedia.org/wiki/Comparison_of_firewalls
Since it states that pfsense has rules for blocking by mac address. It deceives people (like me) to think that pfsense can block by mac address. -
This is one feature that should definitely be added. IPtables has it, IIRC. With IPv6 privacy addresses changing daily, it's not possible to have an IPv6 address rule that would last longer than a day.
-
I notice the last response is 2mo old, but... I am using SonicWalls with MAC addresses being used in the rules all the time - for the very reasons that the OP listed, with IPv6 being the more annoying bit for me.
Filtering by IP is about as effective as milking a boar.
Since I've used pfSense for ages and the SonicWall bits are kinda new to me I had asked an engineer how the Sonicwall does this effectively with such an anemic CPU, and was told that the rules essentially are updated when the MAC goes live on the network with whatever IP(s) the machine has. The documentation I've read for the Sonicwalls I've been managing indicate that they operate very similarly to how pfSense does, aside from not being based on pf.
Since we have to record this information anyways and validate against DHCP/ARP, I'm not sure how-come pfSense can't do this? We're running CPUs that are worlds better than the junk in even the expensive Sonicwalls, so even if there was some overhead, I think it should be possible and even feasible. However I will digress in that I am not a programmer, and there may be some code sitting in the way that makes this incredibly expensive to do.
It sure as heck would make my life much easier. I could set things to happen based on MAC and not give a crap what IP they have or if they manually set it to something else, or if they're using IPv6 which as stated before by OP and here is ineffective.
-
All I can say is: Go Gary!!!!! You rock! Speaking from the year 2021 here, we have to deal with random macs now, so we should been on top of this problem when Gary first suggested we should! We “should have” had the ability by now to not give IP addresses to random Mac clients, just for example. OP GARY where you at???
-
@nick-wollman Why in the world are we resurrecting this thread...especially if you understand that MACs are randomized/spoofed...
-
@skogs good morning!
Honestly, I just wanted to congratulate Gary for pushing through all of the backlash he got. Wonderful, someone who knows what he wants and pushes to get it. I can relate, people just want to keep things the way they are. Or like to shut down honest question posters in the first reply.And now that I’m reminded, I just might have a solution that Gary is looking for, if he’s still around.
-
Rock on.
Deny by default works nicely. :) -
@chris4916 said in Firewalling MAC addresses:
What would be interesting, at least to me, is to understand why you would want to implement FW rules based on MAC address. This is something I don't understand yet.
easy answer : because devices may end up being assigned multiple IP addresses, a rule against the device's MAC address is a more "fixed" allocation
easy answer : because devices may end up being assigned multiple IP addresses, a rule against the device's MAC address is a more "fixed" allocation.
Plus it's nice to have options.
I am sure others would have additional use cases
Either way, it's a valid firewall parameter with the other big players (eg: CISCO, etc), so why not pfSense ?
-
@nick-wollman
.... waiting .... what's the solution you are proposing in pfSense --- I am all ears :-) -
IMHO MAC based fire walling is really really needed !! I did already advocate for that a couple of times.
Two reasons for that:
- given malware you do not only have to protect your network against threats from the internet, but also against threats from within your own network
- ipv6, at least from the firewall standpoint IMHO it is a disaster
So where you could filter in the IPV4 world on IP-address to limit access or do the opposite allow something based on IP, that option is gone with IPV6.
And in both cases IPV4 and IPV6 the MAC-address is a better option to filter a machine than one of its perhaps many IP's addresses and address variants.
Yes I do know that:
- it is possible to change the mac address
(it is even simpler to change your ip) and - that pf the firewall below pfsense regrettable does not support mac filtering
(please mail the maintainer on free bsd forums) - that it is true mac is level-2 not three 3
- that you can generate an alarm if a new mac occurs on your network (there is an app for that, if you think that is useful)
All in all nothing is perfect !, but mac-filtering is given IPV6, really really of big value.
Louis
-
@louis2 said in Firewalling MAC addresses:
malware
If the presence of 'malware' needs MAC handling more then IP, then, I agree, you have very untrusted clients.
Use the captive portal, which is meant to be used when you have to deal with non trusted devices, and you'll be using the firewall pf and the firewall ipfw. ipfw can do level 2 and 3.Still, I'd like to understand why the MAC, or even IP, is important when you deal with malware.
Malware could be found in the data payload, which is non accessible to you. Remember : there is no http traffic anymore. Or mail that doesn't use some TLS.
Also, you could see the destination IP, but not the destination MAC, as this would be the MAC of the next up stream router. -
@louis2 What's your environment / LAN type?
Are you talking guest type access here, if the devices only need to talk out their default gateway and not to other devices on the LAN then set the LAN ports to a protected port so they can only connect to the default gateway.
Run some sort of IDS/IPS on your LAN interfaces.
-
MAC filtering will do absolutely nothing for incoming packets. The only MAC address you will see is from the next upstream router and nothing else.
-
@louis2 said in Firewalling MAC addresses:
that option is gone with IPV6.
How so - I have specific rules that have specific IPv6 addresses in them.. I only allow access to my ntp server IPv6 address.
IPv6 clients can use multiple IPv6 addresses, if you do not tell them not too. But specific IPv6 addresses can be assigned to clients. Where they only use that address. But generally speaking with IPv6 you would do the rules based on any IPv6 address in that prefix. If you have some device that needs to do something different than the rules on that vlan, then move them to another vlan where you can set the rules you want for that prefix - now specific IP address doesn't matter.
While agree that IPv6 brings changes to how things were done in the past with firewall rules - filtering on mac address is not a requirement to correctly firewall.. You just need to understand the differences that IPv6 brings to the table. Yes there is a learning curve there for sure - which is why I suggest - if your not up to the task, or do not have time currently to climb up the learning curve for IPv6 and all the differences it has - then just don't use it. There is nothing saying you need to use or allow for IPv6 on your network. Many ISPs currently don't even provide it at all. Can you name 1 resource that requires you to use IPv6? If you do not have a pressing need for IPv6 - then you can put off climbing up the learning curve hill for a later date.. You have YEARS for sure ;)
-
I try to keep my computers patched and secure, but as you know, you can never be 100% sure that one of your computers has been compromised. So IMHO it is not wise to trust your own systems.
So, I try to do things to prevent "infected computers" to reach other computers. And the same rules would hopefully warm me that some thing strange is happening.
Capative portal does not help here, since that protect against unwanted computers, not against my own computers potentially being infected.
And of cause as I am talking about MAC-filtering, I am talking about traffic originated from my own vlan's
-
My remarks are related to multiple situations. Surely not only my guest lan!
I have multiple vlans and in each vlan I limmit the outgoing traffic, traffic to other vlans and/or the internet as far as possible.
Extreme example is e.g. the greenzone (e.g. my nas) which should be kept away from the internet as far as possible. Among other things I use floating rules to make sure that (nearly) every other vlan can not enter that vlan.
-
I know, mac filtering is (when supported) only possible for network internal generated traffic. And that is exactly what I had in mind
-
@louis2 how does mac filtering help in filtering intervlan traffic? Macs are not used between vlans.. IP and Ports and protocols are used between vlans.
If you have a compromised machine and it is allowed to talk to your nas on port 445.. (smb over tcp).. What does matter what its mac address is?
-
John, it is complicated not hew of course. A few remarks:
I only allow access to my ntp server IPv6 address
-
that alone is an issue but also in ipv4, problem is that a lot of applications use their own build in ntp, dns etc. So if you want to force the use of your own dns etc, you probably have to redirect the server address, which is as far as I know not yet possible for IPV6
-
Related to used addresses there are two different issues here
a) Different address types e.g. link local and global
b) Multiple and changing global addresses (fixed, temporarily, changing all the time for security reasons)
Additionally a server can have multiple addresses in favor of multiple functions / applications. So this all together makes it impossible to filter on IP-address.
What does to a certain extend helps is to create many vlans. Since that provides better separation and each vlan does have it own rule-set. More complicated to maintain of course and also not always a good idea. Reason for that is e.g. that the equipment in the separated vlans also have to talk to each other.
For info, I do have native IPV6 for years and there is one big advantage. I do have an endless number of IPV6-addresses, where I only have one IPV4.
My servers all have and use IPV6 next to IPV4. If applicable/needed they my servers are accessible from the internet via IPV6.
A lot of if not most equipment today has a preference for IPV6 over IPV4. So IPV6 is available it will use IPV6.
-
-
@louis2 said in Firewalling MAC addresses:
can have multiple addresses in favor of multiple functions / applications. So this all together makes it impossible to filter on IP-address.
While yes clients can have multiple IPv6 address - they don't have too.
If applicable/needed they my servers are accessible from the internet via IPV6.
Why? Do you have clients that only have IPv6? While again using IPv6, are you behind IPv4 nat and can only provide access that is not natted via IPv6?
So IPV6 is available it will use IPV6.
Which is another good reason that if your not up to speed on all the differences and changes that IPv6 brings to just not use it..
b) Multiple and changing global addresses (fixed, temporarily, changing all the time for security reasons)
Again they do not have too. My ntp server this is served to the public via ntp pool, its IPv6 it only has the 1 address I gave it - and it doesn't change.. It doesn't use temp IPv6 addresses, because I told it not too, etc..
If you are not ready to embrace all the changes that come with IPv6 - don't use it, or yeah your going to have to ramp up and learn how to handle the differences. Mac addresses are not the solution to firewalling IPv6 and as stated pfsense does not have any real support for using mac addresses in filtering other than captive portal, or limits by doing static arp, etc. If you need to or feel you need/want to use mac filtering in your network - then you prob better off using something else as your firewall that supports it. Pfsense has limited mac abilities from a firewall point of view, and I don't think they are going to be adding any new abilities in that area like next week ;)