Filtering specific devices, using mac-based Policy Filtering

jimp

You wouldn't filter by DUID, necessarily, but you would assign static addresses based on the DUID and filter on the statics. Naturally someone could change their address to static and get around that, too, but it's as good as other methods in that regard, plus has the benefit of catching wired and wireless versions of the same client. Of course that doesn't help SLAAC or link-local. IPv6 has done a lot to enable user privacy, but it's a nightmare for network admins if you need to corral malicious users.

louis2

@jimp,

My first impression is that that only helps for incoming and not for outgoing (as seen from the "device" to filter.

If my impression is correct ..... , it is not / far from "an optimal" solution

Louis

Note that an average IP-device has lots of IP-addresses …….
IPv6 Address. . . . . . . . . . . : 2001:axyz:1cd::33(Preferred)
IPv6 Address. . . . . . . . . . . : 2001:axyz:1cd::f34b(Preferred)
IPv6 Address. . . . . . . . . . . : 2001:axyz:1cd:a827:d6e7:38b0:7beb(Preferred)
Temporary IPv6 Address. . . . . . : 2001:axyz:1cd:a02f:8726:d593:c682(Preferred)
Link-local IPv6 Address . . . . . : fe80::a827:d6e7:38b0:7beb%3(Preferred)

JKnott

@jimp said in Filtering specific devices, using mac-based Policy Filtering:

You are wrong. The DUID is stable for every interface on a host since it identifies the host itself uniquely. MAC addresses and IAID values vary by interface. A host will have the same DUID no matter what interface it uses.
MAC address randomization for privacy is also a thing.

I thought the DUID was for use with DHCPv6 and would not be in every packet, as required for a firewall. Also, while I am aware of MAC spoofing, I haven't heard of MAC randomization. IPv6 privacy addresses use random numbers though.

JKnott

@jimp said in Filtering specific devices, using mac-based Policy Filtering:

You wouldn't filter by DUID, necessarily, but you would assign static addresses based on the DUID and filter on the statics.

That would require using DHCPv6 on the LAN side, where SLAAC is often used. With SLAAC, you can have up to 7 privacy addresses and you get a fresh one every day.

JKnott

@louis2 said in Filtering specific devices, using mac-based Policy Filtering:

that you can assign multiple IP to one MAC.

That's entirely normal with IPv6. With SLAAC, GUA, ULA and link local addresses, I have up to 17 different IPv6 addresses for each MAC.

louis2

@JKnott,

Yep, of course all you wrote is true ! , thats exactly the reason I advocate for MAC-filtering !

Louis

jimp

Right, you don't see the DUID in a packet, but it is used to uniquely identify a host. MAC addresses are no longer considered a reliable unique host identifier. They are used in some places to help form certain kinds of automatic addresses, but they can be changed/randomized/etc. See my link to RFC 7844 above which has info on it (though some is still theoretical)

louis2

@jimp

I need something which can be used for incomming and for outgoing and which is stable appart from spoofing!

Louis

JKnott

@jimp

Once again, you don't see DUID on the wire, except with DHCPv6. This means you cannot filter on it and would require DHCPv6 to assign addresses. That brings us to the problem where (for some idiotic reason) Android devices can't use DHCPv6.

jimp

And pf can't filter based on MACs, so that's a dead end and not a possibility.

Also you can't do MAC filtering on traffic inbound from the Internet to local hosts so that doesn't help you in that direction anyhow.

"stable apart from spoofing" is meaningless since unless you isolate and filter clients properly at L1/L2 (read: switches and APs) everything can be spoofed.

JKnott

@jimp

I built my first firewall with Slackware Linux and IPChains, later SUSE and IPTables. I don't remember about IPChains, but IPTables could definitely filter on MAC addresses. The reason I switched to pfSense was because Linux didn't work with DHCPv6-PD.

Also you can't do MAC filtering on traffic inbound from the Internet to local hosts so that doesn't help you in that direction anyhow.

Yep. I was at a Linux meeting a few years ago, where I had to correct the presenter on that point.

bmeeks

In a manner of speaking, widespread adoption of IPv6 in the future is going to just about send firewalls the way of the horse and buggy ... . There is, of course, some hyperbole in that statment, but ...

Individual client security/monitoring/policing will get way harder than today since a given client can have a ton of addresses. Sure you will still be able to do subnet-level stuff, but individual host stuff gets orders of magnitude harder.

louis2

@jimp

If I have a computer or an IoT device I want to limit in its behavior, it will be very unlikely that it is spoofed.

And if I was afraid of that, I could try to detect that!

Of course you can only filter on MACs related to my own network, but with that limitation, I do not see a reason why I could filter based on starting mac (in vlan-1) or on destination mac (in vlan-2).

Of course given a situation, where level-2-tags could be read by pf (I think vlanid is one of them)

So I would not be surprised if pf could do that! It is almost identical to policy based routing. But of course that should be checked with a high level expert.

I know that it is possible on OpenBSD and elsewhere, but of course that does not necessary that it is also possible on freebsd/pf combination.

Louis

JKnott

@louis2

Of course, this is a FreeBSD problem, not pfSense, due to the pf filtering that FreeBSD uses. If it used IPTables, it wouldn't be an issue. So, this problem really should go back to the FreeBSD folks.

louis2

Just to indicate a potential solution direction,

A potential solution does in volve "Tagging of Ethernet Frames"

Tagging can be performed at the ethernet level if the machine doing the tagging/filtering is also acting as a bridge(4). By creating bridge(4) filter rules that use the tag keyword, PF can be made to filter based on the source or destination MAC address. Bridge(4) rules are created using the ifconfig(8) command. Example:

step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag <sometag>
step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy based rule)

This direction seems to imply that there must be bridge on ethernet level. That could perhaps significant complicate things

Louis

jimp

That is not available on FreeBSD. That is an OpenBSD-specific function.

Konstanti

@louis2

Hi
Unfortunately , as we have already said, PF is not able to work with network packets at the L2 level.
But the FreeBSD/PF kernel has a very powerful NETGRAPH network subsystem built in. You can use it to configure packet filtering based on the MAC address . This subsystem allows you to intercept traffic before it reaches the network stack of the operating system and analyze it.
Here is its description
https://www.freebsd.org/cgi/man.cgi?netgraph(4)

You will need modules to analyze the ethernet header

ng_ether + ng_vlan (possibly) + ng_bpf

louis2

Thanks for the tip,

I just scanned the doc, will read in more detail later. Perhaps there are some artikels as well on internet.

However, my first feeling is that it lets say "an advanced acl-filter" on level-2.

First feeling is that you could perhaps ...:

• block traffic between A and B (that could be usefull) or
• allow traffic by passing pfSense (a very bad idea !!)

And of course with "complexity (and performance)" as price

What ever, worth reading more

Louis

louis2

intresting link

https://people.freebsd.org/~julian/netgraph.html

Konstanti

@louis2

Since the modules of this subsystem work at the kernel level, it is very high-performance and does not exert a strong load on the system.
Yes, at first it is difficult to understand , but you can understand it
The main difficulty is creating a BPF program for filtering packets . The rest is easy .
for example, to intercept traffic from a device with the MAC address 98:01:a7:8c:eb:89, the program will look like this
ether[6:4]=0x9801a78c and ether[10:2]=0xeb89
(000) ld [6]
(001) jeq #0x9801a78c jt 2 jf 5
(002) ldh [10]
(003) jeq #0xeb89 jt 4 jf 5
(004) ret #262144
(005) ret #0

bpf_prog_len=6 bpf_prog=[ { code=32 jt=0 jf=0 k=6 } { code=21 jt=0 jf=3 k=2550245260 } { code=40 jt=0 jf=0 k=10 } { code=21 jt=0 jf=1 k=60297 } { code=6 jt=0 jf=0 k=65535 } { code=6 jt=0 jf=0 k=0 } ]

Netgraph is managed from the console by the ngctl utility. For automation, you will need to write a script.
And, most importantly, you must have physical access to the console , because it is very easy to lose access to the firewall