# Layer 2 filtering



## Pushrod (Feb 12, 2009)

Is there a way to block a certain MAC address on a network, or otherwise control it, as you would with an IP?

deny from 00:00:AB:CD to mybox port 80

...that kind of thing. I use PF but a separate thing wouldn't bother me if need be.


----------



## vivek (Feb 13, 2009)

Yes, with transparent firewalling PF can be made to filter based on the source or destination MAC address. See
http://www.openbsd.org/faq/pf/tagging.html


----------



## Pushrod (Feb 14, 2009)

In order to do that, do I need to configure the machine as a bridge?

The machine is a router in my home; I want to be able to block certain MAC addresses from connecting to it, not unlike blocking a specific IP. I am not looking to bridge the inside and outside networks.


----------



## danger@ (Feb 15, 2009)

I think there is some ongoing work to support layer 2 filtering in ipfw. I'm not sure about its state though.


----------



## mgp (Feb 15, 2009)

Hi
ipfw supports layer 2 filtering.
the keyword is "layer2"

check ipfw(8)


```
layer2       Matches only layer2 packets, i.e., those passed to ipfw from
             ether_demux() and ether_output_frame().
```


```
net.link.ether.ipfw: 0
             Controls whether layer-2 packets are passed to ipfw.  Default is
             no.

net.link.bridge.ipfw: 0
             Controls whether bridged packets are passed to ipfw.  Default is
             no.
```

good luck


----------



## kamikaze (Feb 17, 2009)

To change a MAC address is so easy. Even on Windows 95 this was easily done by an inexperienced user (I'm talking about myself, consider that back then I was barely a teenager).

So I wonder why you'd want to use MAC-based filtering. On layer 3 you can be certain that certain IPs come from a certain network and treat them accordingly.


----------



## hydra (Feb 17, 2009)

I was just about to ask the same thing as kamikaze...


----------



## honk (Feb 17, 2009)

I think as additional(!) measure (filtering based on the ip && mac) in a home setup it could be useful. Just to confuse unmotivated attackers in the neighborhood. But not as the first thing in securing the own systems. Another idea could be filtering incoming traffic based on the mac-address of the upstream router (allowing only them) when your external interface is on a shared ip-subnet and you can't control the upstream router. Or filtering out arp-requests from unknown (bad) mac-addresses to prevent others seeing your mac-address before they begin arp-spoofing... Maybe I'm wrinting bullshit at this time of day, never implemented filtering at layer-2 excessivly, just writing down some ideas. So it would be a nice-to-have feature, but with such things you can confuse yourself too (much). 

@Pushrod: You already considered using static arp to solve your problem?

cheers,
honk


----------



## Pushrod (Feb 18, 2009)

One major flaw I see in the OSS/nerd communities is always having to give a reason. Who cares why; I wanted to know if it can be done.


----------



## Mel_Flynn (Feb 18, 2009)

Pushrod said:
			
		

> One major flaw I see in the OSS/nerd communities is always having to give a reason. Who cares why; I wanted to know if it can be done.



And one thing you learn when helping people in the OSS/nerd community is that there are people who ask something complex to solve a simple problem, for which there is a simple solution.
These two obviously bite each other, and neither is a flaw, it's humanity.

For example, I had a similar issue on my wireless network. A machine was left on, attracted a virus and owners were on vacation (legitimate user). Instead of blocking the MAC, I told the DHCP server to send default-router 127.0.0.1. The traffic stopped and didn't even hit router's IP stack. I could also have told the DHCP server to issue a fixed IP and block that IP, if I was interested in monitoring.

Obviously, if you're fighting people that know their way around and don't use DHCP, this isn't gonna work.


----------



## gk (Mar 19, 2009)

I've worked on improving layer2 filtering capabilities in ipfw and pf during summer of code 2008. The code is now is projects repository: http://svn.freebsd.org/viewvc/base/projects/l2filter/
And is going to be commited into main repo

Some examples can be found here: http://blogs.freebsdish.org/gleb/

Hope that helps you


----------

