# macaddr_acl not taken into account in hostapd settings



## patpro (Jan 21, 2011)

Hello,

I run a WIFI AP on a FreeBSD box for years now, and I've recently switched from a 6.4 to a 8.1. Many things have changed, but I think I've handled the switch pretty well... until last night, when I've noticed that hostapd won't take my macaddr_acl=1 setting into account.

Here are my /etc/hostapd.conf settings;


```
# grep ^[^#] /etc/hostapd.conf 
interface=wlan0
logger_syslog=-1
logger_syslog_level=1
logger_stdout=-1
logger_stdout_level=1
debug=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=youdontknowme
macaddr_acl=1
accept_mac_file=/etc/hostapd.accept
auth_algs=3
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
wpa=1
wpa_passphrase=my very little secret
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP
```

and rc.conf:


```
ifconfig_wlan0="inet 192.168.1.1 netmask 255.255.255.0 ssid youdontknowme mode 11g pureg up"
```

Despite macaddr_acl=1, I can still connect with unknown Wifi client to my hostapd.

Any idea?


----------



## SirDice (Jan 21, 2011)

To be honest MAC address filtering is utterly useless as a security precaution. Your MAC addresses are transmitted in the clear even when you use encryption. A would-be-attacker can easily grab them when monitoring the traffic. It's also trivial to change a MAC address on a network card, even on Windows.


----------



## patpro (Jan 22, 2011)

SirDice said:
			
		

> To be honest MAC address filtering is utterly useless as a security precaution. Your MAC addresses are transmitted in the clear even when you use encryption. A would-be-attacker can easily grab them when monitoring the traffic. It's also trivial to change a MAC address on a network card, even on Windows.



I know all of this, but I know too that it's often the less protected wifi network that will be hacked in the first place (just because it's easier, and faster). A weak obstacle is always better than no obstacle at all, as long as you know it's weak. And I know that.


----------



## SirDice (Jan 23, 2011)

Yes, but the strength of your security comes from the chosen encryption and pass-phrase, not the MAC filtering.


----------



## nakal (Jan 23, 2011)

When you protect against other MAC addresses, the attacker will take *your* MAC and you won't even see his real MAC in your logs. You are actually making your security *worse*.


----------



## patpro (Jan 24, 2011)

SirDice: by the way, what do you think about my config? (except the passphrase of course, which is not the actual one)

nakal: MAC address is not trustable (it's a user input, like User Agent in HTTP). So if I found one attacker MAC address in my logs, it's probably forged. 

That said, I'm not here to debate security, I just want that setting to work as it should, and understand why it's not taken into account.


----------



## nakal (Jan 24, 2011)

> MAC address is not trustable (it's a user input, like User Agent in HTTP). So if I found one attacker MAC address in my logs, it's probably forged.



You cannot know it, maybe you are lucky (btw, even when someone uses fake MACs it might be possible to find his real MAC).

But if you only allow your own MACs, it will be surely forged and you never get any additional information about the attacker.


----------



## bschmidt (Jan 24, 2011)

patpro said:
			
		

> That said, I'm not here to debate security, I just want that setting to work as it should, and understand why it's not taken into account.



Can you verify that the *macaddr_acl* option ever worked? It isn't mentioned in hostapd.conf(8) and I don't see any handling in the driver_freebsd.c glue. Based on that I suppose it never actually worked.


----------



## patpro (Jan 25, 2011)

nakal said:
			
		

> You cannot know it, maybe you are lucky (btw, even when someone uses fake MACs it might be possible to find his real MAC).
> 
> But if you only allow your own MACs, it will be surely forged and you never get any additional information about the attacker.



I don't think luck has anything to do with security. And I'm pretty confident I can get additional information about an attacker, because I'm logging all the wifi traffic going through my AP.


*bschmidt*: I can't verify, because I don't want to re-install a FreeBSD 6.x. I've created my AP back in 2007, running FreeBSD 6.2 (back in the time, the hostapd.conf man page was just a place holder). I'm sure it worked at this time. Now that I'm running 8.x, it does not work anymore, so may be you're right, and it can't work.


----------



## patpro (Jan 29, 2011)

*michal*: that's interesting, thank you. It looks like it's impossible to provide a file (MAC address list) 
Did you try to provide mac:add XXXXXX in your ifconfig_wlan0 setting in rc.conf?


----------

