RE: [fw-wiz] Static ARP firewall advice
From: Josh Welch (jwelch_at_buffalowildwings.com)
To: <email@example.com> Date: Fri, 9 Apr 2004 07:57:31 -0500
Greg Dickinson said:
> I've done some fairly extensive research on this subject, and can't get
> a definitive answer. I solicit your advice.
> I manage the firewall for a local boarding school as a side job. The
> campused students are allowed to bring their own PC's to connect to the
> campus network for internet access in their rooms. The firewall has 4
> interfaces, one for the administrative LAN, one for the internet, one
> for the dorm LAN, and one for the proxy server so it's in it's own
> We have statically assigned IP addresses for the students' PC's, so
> that we can run a proxy log analysis and determine which students are
> accessing which sites at what times. These statically assigned
> addresses are in specific allow statements in the ruleset (pf on OBSD
> 3.2). Recently the (rather bright) students here have figured out that
> they can simply "steal" someone else's address and avoid detection.
> I am currently in the process of reloading the proxy server to get it
> off RH9, but in the interim I was wondering if there is an
> easy/recommended way to accomplish this: I had the idea of adding static
> ARP entries in the firewall so that only the specified Layer 3 addresses
> that match the specified Layer 2 addresses can get through the firewall.
> However (as you can imagine) this is a nightmare to maintain, as well
> as difficult for the local administrator to add static ARP entries (he
> has to add the addresses to /etc/rc.local and reboot the firewall
> everytime [yes, I know a reboot is not required...but it's simpler...
> :-> ])
> To summarize: is there an easy way to maintain static ARP entries using
> pf on OBSD 3.2? While the current firewall is OBSD, I am not married
> to this configuration - if there is an open source firewall product that
> will allow me to accomplish this easier, then I will recommend that to
> the admin.
> Thanks in advance for your time.
A particular annoyance of mine is when I pose a specific question on a list
and I get a bunch of replies that suggest I do something entirely different,
unfortunately I'm going to do that :)
Is there a particular reason you haven't decided to implement user
authentication on your proxy? It would allow you to track site visits by
username rather than IP Address, you could then DHCP your students if you
wanted to and remove that particular administrative hassle, unless it's
needed for other reasons.
Otherwise, I don't have any OpenBSD boxes to try out pf, but iptables can
have rules written in such a fashion that if a machine has a certain
combination of IP and MAC, it's allowed, place a rule at the end of the
chain to DROP any other traffic and it will work. Assuming your proxy runs
on port 80 it should be like this:
-A INPUT -p tcp -m tcp --dport 80 -j matchmac
-A matchmac -m mac --mac-source 00:C0:WE:45:E2:D4 -p tcp -s 192.168.0.1 -j
-A matchmac -j logmac
-A logmac -j LOG --log-prefix "BAD MAC IP COMBO:" --log-level 7
-A logmac -j DROP
This will work, but if you have a large number of clients it will be icky,
specifically at the beginning of the school year when you're trying to get
everyone set up. I'd still suggest doing client authentication on your
firewall-wizards mailing list