MAC Address 00:00:00:00:00:00 was able to access internet.



  • Hello.

    We're running PFsense 2.0.1 (i386) release.
    We have the Proxy Service (Squid) enabled for LAN, WIFI, and another subnet. Transparent Proxy.
    The firewall rules on LAN are block all, unless your IP Address is listed.
    DHCP is handled by the Windows 2003 Domain.

    So, you are not allowed access to the internet unless your IP Address is listed in the LAN firewall Rules.

    The scenario is as follows:

    A laptop was presented to be configured for use with OpenVPN, but could NOT get an IP Address through the wire via CISCO ESW 520 switch.
    Avoiding the ESW 520 switch, IP Address was gotten and Internet access was given without proper permissions through LAN Firewall rules.
    Checking the laptop, I noticed it is using a NVidia type driver for LAN. The listed MAC Address was 00:00:00:00:00:00. Scanned Computer for Trojans, Rootkits. none found.
    Checking ARP in PFsense also saw the MAC Address of all zero's with an assigned LAN IP Address.
    Checking the LAN firewall rules, no such IP Address was listed.

    Can anyone else verify this behaviour or is there a fix for this? Could this be related to the transparent proxy?

    Thanks, Jits


  • Rebel Alliance Developer Netgate

    Access will be allowed through the transparent proxy regardless of firewall rules. You'd need to setup a squid or squidGuard ACL to restrict access to the proxy.



  • Access will be allowed through the transparent proxy regardless of firewall rules. You'd need to setup a squid or squidGuard ACL to restrict access to the proxy.

    Jimp,

    No, no…you are not going to destroy my confidence in PFsense today.  "Regardless of firewall rules", cannot be right. The firewall is it. After everything else, the final arbitrator, is the firewall, as in..."Even if Mommy told you, you could...I am telling you, you can't!"

    There are some thirty computers that are blocked by the firewall because their IP Address is not on the list. Those systems have proper MAC Addresses and they cannot access the internet. The Error page from transparent proxy tells them to contact the administrator.

    The laptop, with a MAC Address of 00:00:00:00:00 is assigned an IP Address that is NOT listed in the LAN firewall rules and DOES access the Internet, bypassing, if you like, the firewall. This is not supposed to be.

    When going thru, the Cisco ESW 520 switch, there is no joy. All fun stops at the switch. Not even an IP Address is gotten.

    I had to generate a MAC Address from an online source, and when assigned to the network card, I was able to get an IP Address via the ESW 520 switch. Then, there was no internet access via PFsense. After assigning the IP Address in the firewall rules, Internet access was gotten.

    So, I am concluding the PFsense firewall can be penetrated by masking your MAC address with all 0's.

    Can anyone else test this and advise further? What can be done to prevent this?



  • Unless you provide a trace with tcpdump for this no answers can be given!
    I would suggest you do the trace first and then come to results.

    Usually the mac address here is not the culprit.



  • It has nothing at all to do with your MAC address, PF doesn't even look at MAC addresses.



  • Yes. I see what you mean. ID10T Jumping to conclusions error!

    The reason I said that is because I could not determine the IP Address that was assigned to the laptop with 00 MAC Address via IPCONFIG.

    I was able to quickly find out the IP Address via DIAGNOSTICS:ARP TABLES which had listed 00 MAC Address and Assigned IP, which was not on LAN Firewall Rules. So, this is why I, without thinking, stated what I did in previous post.

    However, I'm not understanding the inconsistencies with some systems not being allowed access and other systems are being allowed despite the same settings.

    On LAN Firewall Rules, 192.168.1.111 has permission. When this IP is removed from LAN Firewall Rules, a new system, assigned by DHCP, 192.168.1.111 still has internet access. Firewall states reset. System still has internet access. Firewall Rebooted. System Rebooted. Still has internet access. Checked again, no 192.168.1.111 assigned to LAN Firewall Rules.

    Transparent Proxy service is enabled and LAN is selected as proxy interface. Allow users on interface is ticked. Hmmmm..hang on sec, let me "uncheck" allow users on interface and add the subnet via ACCESS CONTROL.

    Ok, got it. Perfect. Now it works the way it should!

    So, 192.168.1.111 is not on the LAN Firewall Rules list and it no longer has access to internet.

    I enter the subnet via PROXY SERVICE:ACCESS CONTROL and untick ALLOW USERS ON INTERFACE on the GENERAL Page.

    –--

    So, I don't know if this is how Allow users on Interface is supposed to work, but I'm always under the impression that the firewall has the final say and this method circumvents that final say.

    Thanks for your help and jogging my mind...jits.
    Sorry if I offended anyone, but please, please..don't take it personal. thanks again.


Log in to reply