SEO

The Jetman wrote:

> I just set up my 1st OBSD system and am making slow and steady
> progress
> getting it together, but I'd like a simple question answered: can
> OpenBSD be a NATing router *AND* a MAC filter simultaneously, based on
> the baseline
> distro ?

No, unless you adopt static routing.

> I ask bec I *believe* one needs two machines to achieve the
> same
> result w/ FreeBSD. That is, I can filter MACs if my test machine is a
> bridge, but I also need a NATing router, which doesn't seem to work
> until I switch to gateway mode.

No. Why on earth do want such a useless, needlessly complex setup?

>
> If the answer is yes, I'll put this aside as a novel curiousity,
> otherwise
> I'll proceed to bild the desired system. Later....Jet

Sorry to disappoint you.

EJ
--
Remove the obvious part (including the dot) for my email address

erik <erik@geenspam.vanwesten.net> wrote in message news:<3f077873$0$49106$e4fe514c@news.xs4all.nl>...
> The Jetman wrote:
>
> > I just set up my 1st OBSD system and am making slow and steady
> > progress
> > getting it together, but I'd like a simple question answered: can
> > OpenBSD be a NATing router *AND* a MAC filter simultaneously, based on
> > the baseline
> > distro ?
>
> No, unless you adopt static routing.
>

Maybe, I'm dumb, but I don't see what you're talking about in any
search I've done on Google or any other search engine. Hell, there's
damn little on the subject of MAC filtering via BSD, even though
the various implementations seem to be well-suited to the job.

My own experiments reveal MAC filtering is only possible if the
host is a bridge and NATing is only available on a gateway/router.
Can you confirm or deny this, based on your own experiences ?

> > I ask bec I *believe* one needs two machines to achieve the
> > same
> > result w/ FreeBSD. That is, I can filter MACs if my test machine is a
> > bridge, but I also need a NATing router, which doesn't seem to work
> > until I switch to gateway mode.
>
> No. Why on earth do want such a useless, needlessly complex setup?
>

Again, I don't grok what you're referring to at all. I'm on a team doing
a wireless ISP install for a Fortune 500 corp's sites, so I understand a bit
about the subject. My corp client is using RADIUS authentication via a
local, Linux based AP, to give its wireless clients Internet access.
However, once the system is fully operational, my corp client will have
an external authentication service provider, gate public Internet access
to its clients.

I normally work in a store, where MAC filtering *could* do the trick
(here wireless clients are fewer and far between.) I can get my FBSD
box to do MAC filtering (to limit LAN access), but I *apparently* need an
entirely different host, NATing wireless clients to the public Internet,
via a single public IP. This is essentially the same as my corporate
client, except I'd like to use manual authentication via MAC addresses
and they've opted for an automatic, authentication server.

Consequently, I don't grok your comment: 'Why on earth do want such a
useless, needlessly complex setup?'

> >
> > If the answer is yes, I'll put this aside as a novel curiousity,
> > otherwise
> > I'll proceed to bild the desired system. Later....Jet
>
> Sorry to disappoint you.
>

Later....Jet

The Jetman wrote:

> erik <erik@geenspam.vanwesten.net> wrote in message
> news:<3f077873$0$49106$e4fe514c@news.xs4all.nl>...
>> The Jetman wrote:
>>
>> > I just set up my 1st OBSD system and am making slow and steady
>> > progress
>> > getting it together, but I'd like a simple question answered: can
>> > OpenBSD be a NATing router *AND* a MAC filter simultaneously, based
>> > on the baseline
>> > distro ?
>>
>> No, unless you adopt static routing.
>>
>
> Maybe, I'm dumb, but I don't see what you're talking about in any
> search I've done on Google or any other search engine. Hell, there's
> damn little on the subject of MAC filtering via BSD, even though
> the various implementations seem to be well-suited to the job.

Set up static routing with arp. man arp. _You_ tell in a static way
which ip belongs to a mac address. Seems to me as a _very_ strict mac
filter. ;-)

This is what I did on my wireless gateway:

[blackhole] /etc # cat hostname.wi0
inet 192.168.1.1 255.255.255.0 NONE
!ifconfig wi0 nwid freenet nwkey 0xwouldntyouliketoknow mediaopt hostap
!ifconfig enc0 up
!wicontrol -A 2
!arp -s 192.168.1.9 00:12:34:56:78:90 static

Now I have double 'security' (wep and mac). However, the real security
is created by only allowing an ipsec tunnel in. That takes care of
eavesdropping in an effective way. It also clears the final
second-thoughts about wireless security. I don't see normal persons
break 128 bits aes encryption that fast. <g>

>
> My own experiments reveal MAC filtering is only possible if the
> host is a bridge and NATing is only available on a gateway/router.
> Can you confirm or deny this, based on your own experiences ?

Does the above answer your question?

>
>> > I ask bec I *believe* one needs two machines to achieve the
>> > same
>> > result w/ FreeBSD. That is, I can filter MACs if my test machine
>> > is a bridge, but I also need a NATing router, which doesn't seem to
>> > work until I switch to gateway mode.
>>
>> No. Why on earth do want such a useless, needlessly complex setup?
>>
>
> Again, I don't grok what you're referring to at all. I'm on a team
> doing a wireless ISP install for a Fortune 500 corp's sites, so I
> understand a bit
> about the subject.

That is _not_ a qualifier. I've worked for a fortune 500 company as
well, and I cannot say that the networking department in general was
_that_ competent. They were good a providing network access. Not at
securing it...

> My corp client is using RADIUS authentication via
> a local, Linux based AP, to give its wireless clients Internet access.
> However, once the system is fully operational, my corp client will
> have an external authentication service provider, gate public Internet
> access to its clients.

So, if it is public, why the worry?

>
> I normally work in a store, where MAC filtering *could* do the trick
> (here wireless clients are fewer and far between.)

Again: _which_ trick?

> I can get my FBSD
> box to do MAC filtering (to limit LAN access), but I *apparently* need
> an entirely different host, NATing wireless clients to the public
> Internet,
> via a single public IP. This is essentially the same as my corporate
> client, except I'd like to use manual authentication via MAC addresses
> and they've opted for an automatic, authentication server.
>

I still fail to see why you need mac authentication. If you really need
it, stay with linux. That is for sure capable of taking care of it.
(Have a look at shorewall, www.shorewall.net where filtering is taken
to a higher abstraction layer that plain iptables).

> Consequently, I don't grok your comment: 'Why on earth do want such a
> useless, needlessly complex setup?'

As mentioned above, I fail to see your need for mac authentication.

Try to explain _why_ you would need mac filtering? OTOH always remember
that sniffing shows mac addresses. And guess what? I can program _that_
mac address in _my_ computer. It _does_ _not_ _help_ _to_ _protect_
you. Properly confgured vpn's do.

HTH,

EJ
--
Remove the obvious part (including the dot) for my email address

erik <erik@geenspam.vanwesten.net> wrote in message news:<3f0f2871$0$49114$e4fe514c@news.xs4all.nl>...
> The Jetman wrote:
>
> > erik <erik@geenspam.vanwesten.net> wrote in message
> > news:<3f077873$0$49106$e4fe514c@news.xs4all.nl>...
> >> The Jetman wrote:
> >>
> >> > I just set up my 1st OBSD system and am making slow and steady
> >> > progress
> >> > getting it together, but I'd like a simple question answered: can
> >> > OpenBSD be a NATing router *AND* a MAC filter simultaneously, based
> >> > on the baseline
> >> > distro ?
> >>
> >> No, unless you adopt static routing.
> >>
> >
> > Maybe, I'm dumb, but I don't see what you're talking about in any
> > search I've done on Google or any other search engine. Hell, there's
> > damn little on the subject of MAC filtering via BSD, even though
> > the various implementations seem to be well-suited to the job.
>
> Set up static routing with arp. man arp. _You_ tell in a static way
> which ip belongs to a mac address. Seems to me as a _very_ strict mac
> filter. ;-)
>

Erik:

Communcations failure. This isn't what I know as static routing, that
is, setup a route via some IP routing agent. But I grok you, this time.

> This is what I did on my wireless gateway:
>
> [blackhole] /etc # cat hostname.wi0
> inet 192.168.1.1 255.255.255.0 NONE
> !ifconfig wi0 nwid freenet nwkey 0xwouldntyouliketoknow mediaopt hostap
> !ifconfig enc0 up
> !wicontrol -A 2
> !arp -s 192.168.1.9 00:12:34:56:78:90 static
>
> Now I have double 'security' (wep and mac). However, the real security
> is created by only allowing an ipsec tunnel in. That takes care of
> eavesdropping in an effective way. It also clears the final
> second-thoughts about wireless security. I don't see normal persons
> break 128 bits aes encryption that fast. <g>
>
> >
> > My own experiments reveal MAC filtering is only possible if the
> > host is a bridge and NATing is only available on a gateway/router.
> > Can you confirm or deny this, based on your own experiences ?
>
> Does the above answer your question?
>

Sure does !

[snip]

> I still fail to see why you need mac authentication. If you really need
> it, stay with linux. That is for sure capable of taking care of it.
> (Have a look at shorewall, www.shorewall.net where filtering is taken
> to a higher abstraction layer that plain iptables).
>
> > Consequently, I don't grok your comment: 'Why on earth do want such a
> > useless, needlessly complex setup?'
>
> As mentioned above, I fail to see your need for mac authentication.
>
> Try to explain _why_ you would need mac filtering? OTOH always remember
> that sniffing shows mac addresses. And guess what? I can program _that_
> mac address in _my_ computer. It _does_ _not_ _help_ _to_ _protect_
> you. Properly confgured vpn's do.
>

Good point ! Learned something new. You're rite, VPNs provide the best
security, but not practical for ad hoc users. Actually, your suggestion
*is* a kind of MAC filtering, just using a different piece of sware. The
OS already tells me when ARP mapping changes, so I can deal w/ spoofers
almost instantly. These MAC manipulations simply mean that the attacker
can't get an IP, unless he/shee *really* works for it.

> HTH,
>

Thanx. This was just what the doctor ordered. Later...Jet

The Jetman wrote:

> erik <erik@geenspam.vanwesten.net> wrote in message
> news:<3f0f2871$0$49114$e4fe514c@news.xs4all.nl>...
>> The Jetman wrote:
>>
>> > erik <erik@geenspam.vanwesten.net> wrote in message
>> > news:<3f077873$0$49106$e4fe514c@news.xs4all.nl>...
>> >> The Jetman wrote:
>> >>
>> >> > I just set up my 1st OBSD system and am making slow and steady
>> >> > progress
>> >> > getting it together, but I'd like a simple question answered:
>> >> > can OpenBSD be a NATing router *AND* a MAC filter
>> >> > simultaneously, based on the baseline
>> >> > distro ?
>> >>
>> >> No, unless you adopt static routing.
>> >>
>> >
>> > Maybe, I'm dumb, but I don't see what you're talking about in any
>> > search I've done on Google or any other search engine. Hell,
>> > there's damn little on the subject of MAC filtering via BSD, even
>> > though the various implementations seem to be well-suited to the
>> > job.
>>
>> Set up static routing with arp. man arp. _You_ tell in a static way
>> which ip belongs to a mac address. Seems to me as a _very_ strict
>> mac filter. ;-)
>>
>
> Erik:
>
> Communcations failure. This isn't what I know as static routing, that
> is, setup a route via some IP routing agent.

O, but by definition this _is_ static routing. Do the same on all your
switches and routers and you create a very secure environment.
Difficult to maintain though, but secure.

> But I grok you, this
> time.
>
>> This is what I did on my wireless gateway:
>>
>> [blackhole] /etc # cat hostname.wi0
>> inet 192.168.1.1 255.255.255.0 NONE
>> !ifconfig wi0 nwid freenet nwkey 0xwouldntyouliketoknow mediaopt
>> hostap !ifconfig enc0 up
>> !wicontrol -A 2
>> !arp -s 192.168.1.9 00:12:34:56:78:90 static
>>
>> Now I have double 'security' (wep and mac). However, the real
>> security is created by only allowing an ipsec tunnel in. That takes
>> care of eavesdropping in an effective way. It also clears the final
>> second-thoughts about wireless security. I don't see normal persons
>> break 128 bits aes encryption that fast. <g>
>>
>> >
>> > My own experiments reveal MAC filtering is only possible if the
>> > host is a bridge and NATing is only available on a gateway/router.
>> > Can you confirm or deny this, based on your own experiences ?
>>
>> Does the above answer your question?
>>
>
> Sure does !
>
> [snip]
>
>> I still fail to see why you need mac authentication. If you really
>> need it, stay with linux. That is for sure capable of taking care of
>> it. (Have a look at shorewall, www.shorewall.net where filtering is
>> taken to a higher abstraction layer that plain iptables).
>>
>> > Consequently, I don't grok your comment: 'Why on earth do want such
>> > a useless, needlessly complex setup?'
>>
>> As mentioned above, I fail to see your need for mac authentication.
>>
>> Try to explain _why_ you would need mac filtering? OTOH always
>> remember that sniffing shows mac addresses. And guess what? I can
>> program _that_ mac address in _my_ computer. It _does_ _not_ _help_
>> _to_ _protect_ you. Properly confgured vpn's do.
>>
>
> Good point ! Learned something new. You're rite, VPNs provide the
> best
> security, but not practical for ad hoc users. Actually, your
> suggestion
> *is* a kind of MAC filtering, just using a different piece of sware.

That's what I told you in the first place. :-)

> The OS already tells me when ARP mapping changes, so I can deal w/
> spoofers
> almost instantly. These MAC manipulations simply mean that the
> attacker can't get an IP, unless he/shee *really* works for it.

Give me 30 seconds, a sniffer and maybe ettercap and your mac based
protection is broken... :-).

>
>> HTH,
>>
>
> Thanx. This was just what the doctor ordered. Later...Jet

AFAIK there has been some discussion if mac filtering should be
implemented in pf. a.o. for the abovementioned arguments it was decided
against, since it did not really help to protect. Maybe Daniel can shed
some light on this topic if he isn't on holiday right now.

EJ
--
Remove the obvious part (including the dot) for my email address