On Fri, Feb 20, 2009 at 3:20 PM, apiase...@midatlanticbb.com <apiase...@midatlanticbb.com> wrote: > I guess my real goal is that anywhere a IP address can be used in pfSense, a > MAC address could be used also, but the MAC address would simply be replaced > with whatever it's IP is in the arp table. Of course some things like the > LAN IP, ect would not work this way. >
ipfw allows filtering by MAC address, and with captive portal (which uses ipfw) you can achieve certain MAC filtering functions. The original poster asked about bridging, which doesn't work with CP. pf doesn't support MAC filtering. I had a discussion on this with Henning Brauer, one of the primary OpenBSD pf developers, over a 3 digit bar tab in DC at DCBSDCon earlier this month. His stance is it's stupid to use MAC addresses in your firewall rulesets - that's the wrong place to control MAC addresses, that either needs to be done on the switches (or APs if you're using wireless), or using static ARP, if you really want to go to the trouble. It only applies to same-subnet hosts so its functionality is limited there as well. It's a ton of work for essentially no return though, at least not from a true security perspective, which is how they tend to look at things. I do see the case for it in some specific scenarios, I'm not dead set against it as the OpenBSD guys are, but the chances of seeing this functionality are slim. Options are some nasty hacks tying in ipfw, which would be limited to pass/block, or some heavy lifting in C to significantly modify pf. Neither of those are likely to happen. > I work with a very large DHCP network, 1,000+ users. I do not have any > control over the devices connecting, and the devices do not > stay the same. Further more this is a wireless network, so users are roaming > between access points > With 1000+ users I would hope that they're not on the same broadcast domain, there's a router involved somewhere before they get to the firewall, which means the host's MAC won't even be available when the traffic gets to the firewall. DHCP reservations for hosts that require special treatment is the way to go. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
