Feature #3120

MAC validation (IP / MAC binding)

Added by Giacomo Sanchietti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Resolution: NEEDINFO:No

Description

The firewall should implement a restrictive behavior based on mac address validation.
When this mode is enabled, all traffic from an interface must be verified to originate from a defined set of MAC addresses associated with one or more IP addresses.

See: http://shorewall.net/MAC_Validation.html

The implementation should:
  • add an option inside the web interface to enable/disable the mac validation
  • when enabled, only hosts with DHCP reservations can access the firewall
  • allow to select a default policy if an IP has no reservation

Associated revisions

Revision 4ec95682
Added by Giacomo Sanchietti over 6 years ago

Config and db: implement MAC validation. Refs #3120

Revision 0590de58
Added by Giacomo Sanchietti over 6 years ago

Web UI: add MAC validation. Refs #3120

Revision 5b270ffe
Added by Giacomo Sanchietti over 6 years ago

Inline help: add MAC validation. Refs #3120

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Description updated (diff)

#3 Updated by Giacomo Sanchietti over 6 years ago

Given this scenario:
  • mac validation enabled
  • administrator forget to add its own computer to the DHCP reservation

The administrator can no longer access the firewall, unless the red interface is correctly configured.

Should we also add a special MAC address which is always allowed to access the firewall?

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.5.1-1.11.g5b270ff.ns6.noarch.rpm
Test case 1
  • Create ad DHCP reservation
  • Enable the MAC validation
  • Try to connect with SSH from the reserved IP: connection must work
  • Try to connect with SSH from another host: connection must fail
Test case 2
  • After test case 1
  • Change policy to "Allow traffic"
  • Try to connect with SSH from the reserved IP: connection must work
  • Try to connect with SSH from another host: connection must work

Command to search for blocked hosts:

grep eth0_mac /var/log/firewall.log

#7 Updated by Davide Principi over 6 years ago

  • Assignee set to Davide Principi

#8 Updated by Davide Principi over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

#9 Updated by Davide Principi over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

CLOSED

In nethserver-updates:
nethserver-firewall-base-2.6.0-1.ns6.noarch.rpm

Also available in: Atom PDF