-
Notifications
You must be signed in to change notification settings - Fork 759
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an option to block private/random MAC addresses #8063
Comments
While FreeBSD has gained separate Ethernet based rules these days “pf” is still a layer 3 firewall and integration needs to be considered on a popular request basis. So your ticket is a start, yet we still have some time to go to see if this makes sense in the product given the work it will create for development and/or if this makes sense on a strategic project level. Cheers, |
Thanks for the fast answer ;-) Maybe it's possible to start with DHCP blocking those MAC addresses. It's possible to block all private MACs if adding a .conf-file in /usr/local/etc/dhcpd.opnsense.d with the following content:
But his goes to the global scope. Maybe it can be put in the network scope, so we can use per subnet/interface. And yes, I know ISC DHCP is deprecated, but maybe there's an option for KEA, too. This would help in IPv4 only environments and should not be a to large problem to implement, I hope ;-) |
This would be great to implement! |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
I want to block users from using private/random MAC addresses. Firewall aliases need 3 words of the MAC at minimum to match a partial MAC address. To block private MAC addresses we need only the first word of the MAC address to match.
Describe the solution you like
Allow MAC addresses with only the first word of the MAC address in MAC aliases or with DHCP
Describe alternatives you considered
There is an option to block private MACs on DHCP-level but that only works for ipv4 and only if one wants to block private MACs in all subnets. In pfsense and other products this is possibly at least on with the DHCPv4 Server. But it would make more sense to block traffic on firewall level as it should work with ipv4 and ipv6.
I know that filtering by MAC address is not secure but it would stop ordinary users from using private mac addresses. In a private/company network one wants to know which devices are connected.
The text was updated successfully, but these errors were encountered: