Wednesday, July 22, 2009

OpenBSD MAC Filtering using a Bridge and Packet Tagging

A need came up for MAC address filtering on one of the networks I manage. The only way I know of filtering on MAC address is through the use of a bridge and pf packet tagging. At first I thought I would have setup a transparent bridging firewall in front of the gateway firewall; however, through the use of an additional network card and a bridge to nowhere I was able to accomplish this task.

Here is the setup:

Gateway firewall with three network cards
bge0 (external interface)
bge1 (internal interface)
re0 (monitor interface)

Standard gateway setup
echo 'inet NONE' > /etc/hostname.bge0
echo 'inet NONE' > /etc/hostname.bge1
echo ' ' > /etc/mygate

Then configure a bridge between the internal interface and the monitor interface. Added the bridge options to change the default MAC address cache size from 100 to 300 and to automatically load the bridge rules from a file.
echo 'up' > /etc/hostname.re0
echo 'add bge1 add re0 maxaddr 300 rulefile /etc/brrules.conf up' > /etc/bridgename.bridge0

The bridge rule file serves only one purpose, to assign a certain tag to all packets from a list selected MAC addresses. An example of the file can be found below. The tag applied to the packet stays with it even after it leaves the bridge and passes onto PF. This allows you to filter on it using PF. The tag is only internal to the system and won't travel over the wire. When using tagging on a bridge only the interface that is connected on layer 2 to the MAC address you want to tag can assign it.

Then you can simply use the tagged keyword in your egress pf rules to filter out the non-authorized traffic. Please note that you will have to create special rules for the IPs of the firewall so that it can get out.

# DNS out
pass out quick log on $ext_if proto { tcp udp } to any port { 53 } tagged goodmac label "dns out" queue std_bis

# Firewall DNS Out
pass out quick log on $ext_if proto { tcp udp } from $fw to any port { 53 } label "dns fw" queue std_bis

For services that require redirect rules (FTP and Squid) you will need to place the tagged keyword before the redirect assignment.

# FTP Redirect
rdr on $int_if proto tcp from $intnwk to any port 21 tagged goodmac -> port 8021

# Squid Redirect
rdr on $int_if proto tcp from $squidies to any port { 80 8080 } tagged goodmac -> port 3128

Below are some helpful brconfig commands for managing the bridge. I had to manually start the bridge the first time after initial setup but not so after numerous reboots.

I know this won't prevent someone from spoofing a MAC address but it will prevent the standard user from casually assigning a static IP on a non authorized system. If anything now I have a nice monitor port on the firewall for when the IT auditor shows up.

Load Rules File
$ sudo brconfig bridge0 rulefile /etc/brrules.conf

Flush Rules
$ sudo brconfig bridge0 flushrule bge1

View Loaded Rules
$ sudo brconfig bridge0 rules bge1

Add a New MAC into the Rules
$ sudo brconfig bridge0 rule pass in on bge1 src 00:13:72:3b:fc:f8 tag goodmac

Example of a Bridge Rule File
pass in on bge1 src 00:12:3f:76:96:dd tag goodmac
pass in on bge1 src 00:1e:2a:c2:ae:95 tag goodmac
pass in on bge1 src 00:19:d1:e5:af:f9 tag goodmac

Contents of /etc/bridgename.bridge0
add bge1 add re0 maxaddr 300 rulefile /etc/brrules.conf up

Display the Addresses Learned by the Bridge
$ sudo brconfig bridge0 addr

Manually Start the Bridge
$ sudo brconfig bridge0 up

Example of PF Rule Utilizing Tagging
pass out quick log on $ext_if proto tcp to any port 80 tagged goodmac label "Web Traffic"

PF: Packet Tagging


Friday, July 10, 2009

Windows 2003 Firewall Program Exceptions for DPM 2007 and Exchange 2007

When utilizing the Windows 2003 firewall to protect both Data Protection Manager 2007 and Exchange 2007, I found that you have to make a few Inbound Program Exceptions on the firewall.

Here are the group policy firewall entries I had to make under "Inbound Program Exceptions"

DPM Server's Policy:

C:\Program Files (x86)\Microsoft DPM SRT\FileStore.exe: FileStore.exe
C:\Program Files (x86)\Microsoft DPM SRT\rmtask.exe: rmtask.exe
C:\Program Files\Microsoft DPM\DPM\bin\DPMRA.exe: DPMRA.exe
C:\Program Files\Microsoft DPM\DPM\bin\msdpm.exe: msdpm.exe

Exchange Server's Policy:
C:\Program Files\Microsoft Data Protection Manager\DPM\bin\DPMRA.exe: Agent Exe
C:\Program Files\Microsoft\Exchange Server\bin\mad.exe: mad.exe
C:\Program Files\Microsoft\Exchange Server\bin\store.exe: store.exe

For the Exchange or any client server your trying to protect with DPM you will have to make the exception for the DPM Agent. You will also need to enable the "Allow inbound file and printer sharing exception" since these services utilize these ports as well.

Due to the way Group Policy processes, you might have to reboot your Exchange server twice for the program exceptions to process correctly.

Tuesday, July 7, 2009

Using .NET System.Management through Vista Firewall

In order to use .NET System.Management namespace against a remote Vista system, I had to enable a few settings on the remote system firewall. I made these changes via AD group policy. Here are the settings:

On the Firewall Group Policy, Created a new Inbound rule using the Wizard. Selected the Predefined Remote Administration set.

Enabled them for only my local subnet.

Then under the Network\Network Connections\Windows Firewall\Domain Profile settings of the group policy, enabled "Allow inbound remote administration exception". Then enabled that for only my local subnet.