Closed fukawi2 closed 5 years ago
Yes, pf is used for our firewall and doesn't support mac address filtering indeed, although ipfw in our case doesn't use mac addresses either (it uses the system arp table and keeps track of changes).
Mac addresses are quite easy to spoof, which often creates a false sense of security when provided in firewall rules.
In combination with bridging there is an option to tag frames, although that likely would only work for a limited set of rules. (for example https://serverfault.com/questions/674480/how-to-block-mac-address-in-pf-firewall)
Long story short, I don't expect the option will enter our product.
Thanks for your quick reply. Yes, spoofing mac addresses is a thing, but for most use cases it is sufficient. For example, I'm just trying to make sure my TV and printer don't start talking somewhere they shouldn't, while letting my mobile phone and desktop PC be a lot more free to establish connections. I don't expect my TV or printer to start spoofing it's mac address to bypass my firewall (although maybe one day that will be a threat vector!).
I trust my users, I don't necessarily trust my devices.
May be it can be accomplished using aliases. A new kind of alias that keeps the translation of a list of MAC addresses to the assigned IP addresses. With every new pair of MAC-IP in the ARP table, the corresponding MAC ALIASES TABLES could be updated. These aliases could be used to filter packets with pf. It's just an idea.
Actually, I use the same method as @fukawi2 described to filter devices on a WiFi VLAN.
timeout
Can we revive this feature please? We've just replaced a Linux firewall internally at my work with an OPNsense cluster. Something we did a lot in the Linux firewall was firewall bypass (allows) by mac address. With a dual-stack IPv4 + IPv6 network, it's farrrr easier to allow (or block) a client on the local network by mac address, compared to:
Being able to have a single firewall rule to allow/block the mac address has far less management overhead, and less to go wrong.
in the current version of opnsense I am actually able to create a "MAC-Alias" and use it in a firewall rule. COuld anybody tell how this works (i.e. does it translate the MAC into IPs or another way)?
Thanks Alex
apparently I suck a googling - thanks!
It would be useful to be able to create firewall rules based on source mac address, similar to netfilter:
-A FORWARD -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT
There seem to have been several queries for this feature in the past (below), but my specific use case is for a dual-stacked network. Without being able to firewall by mac, I have to do this instead:
(Alternatively steps 3+4 could be create a separate IPv4 and IPv6 firewall rules instead of using an Alias, but it's still 2 steps)
If I could create rules by mac address, then I can consolidate all 4 steps into a single firewall rule.
The general suggestion seems to be to use the Captive Portal as a workaround, but this doesn't let me firewall by port/destination etc as well (eg, allow mac
45:23:54:31:43:12
port22
destination address192.0.2.123
). I can either grant full access to a mac address or block it in full.My understanding is that pf is not capable of handling Layer 2 traffic, but ipfw is which is already in OPNsense for the Captive Portal + Traffic Shaping functions.
I'm not overly familiar with BSD (hence I'm using OPNsense!) so I don't know exactly how complex this feature would be to create.
Previous queries for same/similar feature: https://forum.opnsense.org/index.php?topic=7474.0 https://forum.opnsense.org/index.php?topic=2790.0 https://forum.opnsense.org/index.php?topic=5525.0