Re: [pfSense Support] MAC based Access Control
I think it would be an useful feature to have; if you have a pfsense box at the end of a leased line, private virtual circuit or vpn, it would be good to check the device at the other has x MAC address to try and rule out any security features like a MITM attack or something like that... Just my two pence on that anyway. --James. (This email was sent from a mobile device, this is not secure)
Re: [pfSense Support] MAC based Access Control
Op 29-11-2010 10:51, James Bensley schreef: I think it would be an useful feature to have; if you have a pfsense box at the end of a leased line, private virtual circuit or vpn, it would be good to check the device at the other has x MAC address to try and rule out any security features like a MITM attack or something like that... Just my two pence on that anyway. pf can not filter by MAC address. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC based Access Control
On Mon, Nov 29, 2010 at 4:51 AM, James Bensley jwbens...@gmail.com wrote: I think it would be an useful feature to have; if you have a pfsense box at the end of a leased line, private virtual circuit or vpn, it would be good to check the device at the other has x MAC address to try and rule out any security features like a MITM attack or something like that... It really isn't that useful, since spoofing a MAC address is fairly trivial. So, the theoretical MITM attack prevention would just be false security, and might be why pfsense doesn't support it. Now, it might be nice to have something in place to make thing harder, but this wouldn't be adding anything hard to work around. Thanks, Gerald
Re: [pfSense Support] MAC based Access Control
On 11/29/2010 5:18 AM, Gerald A wrote: On Mon, Nov 29, 2010 at 4:51 AM, James Bensley jwbens...@gmail.com mailto:jwbens...@gmail.com wrote: I think it would be an useful feature to have; if you have a pfsense box at the end of a leased line, private virtual circuit or vpn, it would be good to check the device at the other has x MAC address to try and rule out any security features like a MITM attack or something like that... It really isn't that useful, since spoofing a MAC address is fairly trivial. So, the theoretical MITM attack prevention would just be false security, and might be why pfsense doesn't support it. Now, it might be nice to have something in place to make thing harder, but this wouldn't be adding anything hard to work around. Thanks, Gerald If your using pfsense with unknown clients it's beneficial. For example a Hotel, you have no idea who is connecting, and where they are connecting from. Most of the time the users have no idea how to change the mac address, not to mention they would know that is the problem. If they do, you deal with it at that point. I understand it's a false sense of security, but I can see how it would be helpful. Maybe a package can be made with the understanding that its not 100% full proof. You could also make this same argument for the captive portal mac addressing filtering, and that's been in pfsense forever. Adam -- Adam M Piasecki MidAtlanticBroadband Office: 410-727-8250 x 123 Cell: 940-224-4837 Fax: 410-727-8245
Re: [pfSense Support] MAC based Access Control
On Mon, Nov 29, 2010 at 8:11 AM, Adam Piasecki apiase...@midatlanticbb.com wrote: I understand it's a false sense of security, but I can see how it would be helpful. Maybe a package can be made with the understanding that its not 100% full proof. So you have a security feature that works, except when it doesn't. The problem is there is no way to tell when it is not working, so how do you deal with it then? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC based Access Control
I was under the impression that pfsense was layer 3 software. Imo, I don't think it should be dealing with layer 2. You can always use a switch with port security. On Nov 29, 2010 8:21 AM, Vick Khera vi...@khera.org wrote: On Mon, Nov 29, 2010 at 8:11 AM, Adam Piasecki apiase...@midatlanticbb.com wrote: I understand it's a false sense of security, but I can see how it would be helpful. Maybe a package can be made with the understanding that its not 100% full proof. So you have a security feature that works, except when it doesn't. The problem is there is no way to tell when it is not working, so how do you deal with it then? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] MAC based Access Control
I there a way to manually specify an IP to a mac in the ARP tables. That way you could filter based on IP and if someone changed their IP to avoid the filters, there internet access wouldn't work. You could then take it a step further and lockdown the switch port to only that one mac and if they got cleaver and changed their mac, that wouldn't work either. Just a thought. Feel free to blast away. Description: Description: Description: C:\Users\Ryan\AppData\Roaming\Microsoft\Signatures\AARElectronics3.gifRyan Rodrigue P.O. Box 4336 Systems Technician Houma, LA 70361 A A R Electronics, Inc Phone (985) 876-4096 510 West Tunnel Blvd Phone (800) 649-7346 Houma, LA 70360 Fax (985) 853-1034 mailto:radiote...@aaremail.com radiote...@aaremail.com http://www.aarelectronics.com/ www.aarelectronics.com From: stephen at stephenjc [mailto:step...@stephenjc.com] Sent: Monday, November 29, 2010 8:19 AM To: support@pfsense.com Subject: Re: [pfSense Support] MAC based Access Control I was under the impression that pfsense was layer 3 software. Imo, I don't think it should be dealing with layer 2. You can always use a switch with port security. On Nov 29, 2010 8:21 AM, Vick Khera vi...@khera.org wrote: On Mon, Nov 29, 2010 at 8:11 AM, Adam Piasecki apiase...@midatlanticbb.com wrote: I understand it's a false sense of security, but I can see how it would be helpful. Maybe a package can be made with the understanding that its not 100% full proof. So you have a security feature that works, except when it doesn't. The problem is there is no way to tell when it is not working, so how do you deal with it then? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org image001.gifimage002.jpg
Re: [pfSense Support] MAC based Access Control
On 29 November 2010 14:18, stephen at stephenjc step...@stephenjc.com wrote: I was under the impression that pfsense was layer 3 software. Imo, I don't think it should be dealing with layer 2. You can always use a switch with port security. But as Gerald has pointed out; On 29 November 2010 10:18, Gerald A geraldabli...@gmail.com wrote: It really isn't that useful, since spoofing a MAC address is fairly trivial. So, I guess not. To be honest I don't think its a bad idea. On 29 November 2010 13:21, Vick Khera vi...@khera.org wrote: So you have a security feature that works, except when it doesn't. The problem is there is no way to tell when it is not working, so how do you deal with it then? How do you tell when it is the actual user who owns the user accounts that is accessing it? You can't what every user log on and off? Seems like a rhetorical question to me? Also Gerald you suggested it would be easy to bypass. For you, I imagine a cryptographer wouldn't have such luck but would kick my butt at getting into our VPN...We all know no system is impenetrable but we make it as tough as we can. I think its a good idea if its another thing to toughen the system. -- Regards, James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] (non)local address resolution
pfsense is setup like this: pfsense--WAN (public IP x) --OPT1 (public IP y/30) Connected to OPT1 is client's cisco firewall which is NATing for a 172.21.50/23 subnet. Their dhcp is handing out pfsense's OPT1 address as DNS server, and pfsense is running DNS forwarder. This works well, but I see a lot of this in tcpdump: 12:16:56.091858 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:16:57.104593 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:16:58.118720 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:00.130979 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:04.140636 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:08.150841 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:09.162988 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:10.177054 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:12.189584 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:16.198448 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:20.210048 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:21.221601 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:22.235856 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:24.247893 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:28.256892 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:32.267370 IP 172.21.253.1.53081 69.165.225.178.53: 32343+ SOA? 177.50.21.172.in-addr.arpa. (44) 12:17:33.280650 IP 172.21.253.1.53081 69.165.225.178.53: 32343+ SOA? 177.50.21.172.in-addr.arpa. (44) 172.21.253.1 is the Windows DNS server on the client's network which they were using, but won't be using for this subnet in the future. The DNS server option was changed in DNS just a few hours short of 7 days ago, and dhcp leases are 1 week, so I suppose it's possible but not likely that there are dhcp clients active on that network that are still using (or trying to use) the old DNS server. So I'm just wondering exactly what these packets are about and whether I should be concerned at all for proper DNS function. I did a bit of searching on SOA DNS but no lights are going on for me yet. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC based Access Control
On Mon, Nov 29, 2010 at 4:51 AM, James Bensley jwbens...@gmail.com wrote: I think it would be an useful feature to have; if you have a pfsense box at the end of a leased line, private virtual circuit or vpn, it would be good to check the device at the other has x MAC address to try and rule out any security features like a MITM attack or something like that... If you're concerned about that, you need something cryptographically secure - a VPN across it, not relying on something trivial to change. Anyone smart enough to MITM a private circuit is most certainly going to be able to spoof a MAC address. On Mon, Nov 29, 2010 at 9:32 AM, Ryan Rodrigue radiote...@aaremail.com wrote: Is there a way to manually specify an IP to a mac in the ARP tables. You can enforce static ARP on an interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org