Feature #3120
MAC validation (IP / MAC binding)
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Resolution: | NEEDINFO: | No |
Description
The firewall should implement a restrictive behavior based on mac address validation.
When this mode is enabled, all traffic from an interface must be verified to originate from a defined set of MAC addresses associated with one or more IP addresses.
See: http://shorewall.net/MAC_Validation.html
The implementation should:- add an option inside the web interface to enable/disable the mac validation
- when enabled, only hosts with DHCP reservations can access the firewall
- allow to select a default policy if an IP has no reservation
Associated revisions
Config and db: implement MAC validation. Refs #3120
Web UI: add MAC validation. Refs #3120
Inline help: add MAC validation. Refs #3120
History
#1 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti over 6 years ago
- Description updated (diff)
#3 Updated by Giacomo Sanchietti over 6 years ago
- mac validation enabled
- administrator forget to add its own computer to the DHCP reservation
The administrator can no longer access the firewall, unless the red interface is correctly configured.
Should we also add a special MAC address which is always allowed to access the firewall?
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#5 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-2.5.1-1.11.g5b270ff.ns6.noarch.rpm
- Create ad DHCP reservation
- Enable the MAC validation
- Try to connect with SSH from the reserved IP: connection must work
- Try to connect with SSH from another host: connection must fail
- After test case 1
- Change policy to "Allow traffic"
- Try to connect with SSH from the reserved IP: connection must work
- Try to connect with SSH from another host: connection must work
Command to search for blocked hosts:
grep eth0_mac /var/log/firewall.log
#7 Updated by Davide Principi over 6 years ago
- Assignee set to Davide Principi
#8 Updated by Davide Principi over 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
#9 Updated by Davide Principi over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
CLOSED
In nethserver-updates:
nethserver-firewall-base-2.6.0-1.ns6.noarch.rpm