5.2.9. Physical Address Objects

Figure 5.40. The Physical Address Object

The Physical Address Object

The physical address object describes the hardware, or media, address of an interface. Currently only Ethernet MAC addresses are supported, but support for other kinds of physical addresses may be added in the future.

The physical address object can only be a child of an interface; it cannot exist as a stand-alone object. To create this kind of address object, right-click an interface object in the tree, then select Add MAC Address. Only one physical address object is allowed per interface; the program enforces this restriction. If you create a firewall or host object using SNMP discovery, all interfaces are automatically populated with their MAC addresses.

  • Name

    This is the name of the object. The field is populated automatically with a host:interface:addressType descriptive name when the object is created, but you can change it immediately or later. If you change the name, use something descriptive because when the address object is used in the firewall policy, it is labeled with this name. It may be hard to tell one address from another if their names are similar.

  • Address

    This is a string representation of the physical or media address. For many types of media, this will be in a binary representation. For example, an Ethernet address would be represented as a string of six octets.

  • Comment

    This is free-form text field for a comment. Using The Physical Address Object in Policy Rules

Only a few firewall platforms really support physical address filtering. Currently, Netfilter/iptables is the only firewall platform supported by Firewall Builder that can do physical address filtering.

As described in Section, if an interface object that has multiple child address objects is used in a rule element (either Source or Destination), then the policy compiler tries to generate a rule using all of them. Section explains that the compiler actually does this by generating multiple rules using each address in turn. This roughly corresponds to using the logical operation "OR" on the IP addresses: if our interface has two addresses, Address1 and Address2, then the generated rule matches if the address in the packet is either Address1 OR Address2. The case of a physical address is different, though. If the interface has a physical address, then the compiler builds a rule that has to match an IP address and the MAC address. The reason is to combat IP spoofing.

Suppose we have a very important host on the network. We create a host object, then add an interface to it. The interface should have both address and physical address objects as shown in Figure 5.41. The two child objects are visible in the tree under the Interface "eth0".

Figure 5.41. The Host Object with Address and Physical Address

The Host Object with Address and Physical Address


Note how MAC matching is checked in the host object dialog. This makes the compiler use the MAC addresses of the interfaces of this host.

Because this is a very important host, we would like to be sure that packets whose source IP is that of this host are really coming from it and are not spoofed. The best way to achieve this goal is to use strong authentication, for example, using the IPSec protocol. The use of IPSec is outside the scope of this document, since our goal here is to show that inspecting the MAC address of the packet can improve security.

Both a real packet originated from this host and a spoofed packet have a source IP address of the interface of this host, but the source MAC address is going to be different if spoofing is occurring. We can use this fact to catch and drop spoofed packets. Here are three possible ways to build security policy for this situation:

  • Using only address object in the rule element. This means the firewall inspects only IP address and ignores the MAC address of the packets.

    Figure 5.42. Policy Rule Using Only Address Object

    Policy Rule Using Only Address Object

    Firewall Builder generates the following simple iptables command for this rule:

    $IPTABLES -A FORWARD  -s  -m state --state NEW  -j ACCEPT 
  • Using only a physical Address object. A rule built this way permits all kinds of traffic coming from the trusted host even if its IP address changes.

    Figure 5.43. Policy Rule Using Only a Physical Address Object

    Policy Rule Using Only a Physical Address Object

    For this rule, the following iptables command is generated:

    $IPTABLES -A FORWARD  -m mac --mac-source 00:1D:09:8B:8E:94 -m state --state NEW \
    -j ACCEPT 
  • Using a host or interface object. This way we end up with a rule that matches on a combination of the IP address and MAC address. This may be used as a sophisticated anti-spoofing rule.

    Figure 5.44. Policy Rule Using a Host Object

    Policy Rule Using a Host Object

    Figure 5.45. Policy Rule Using an Interface Object

    Policy Rule Using an Interface Object

    For this rule, the following iptables command is generated:

    $IPTABLES -A FORWARD  -m mac --mac-source 00:1D:09:8B:8E:94 -s  -m state \
    --state NEW  -j ACCEPT 

Using address and physical address objects in a rule is not the same as using the host or interface object to which these address and physical address belong. Here is what happens if we put objects representing IP address and MAC address in the rule:

Figure 5.46. Policy Rule Using Address and Physical Address Objects

Policy Rule Using Address and Physical Address Objects

For this rule, the following iptables commands are generated:

$IPTABLES -A FORWARD  -s  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -m mac --mac-source 00:1D:09:8B:8E:94 -m state --state NEW \

As described in Section, using an multiple objects in the rule element is like bundling them together using logical operation OR. If we were to put address and physical address in the rule as in Figure 5.46, we would end up with a policy matching packets that have the source address or MAC address 00:1D:09:8B:8E:94, but not necessarily both at the same time. Any host that manages to pretend to have the IP address would be able to send packets through our firewall even if its MAC address is different. To achieve our goal and make sure packets with the source really belong to our important host, we should be checking its IP address and MAC address at the same time and let a packet through only if its IP address AND MAC address are what we expect them to be. That is why Firewall Builder treats physical addresses differently and generates firewall code that inspects both IP address and physical address.

Firewall Builder generates firewall code to inspect MAC address only for host objects with the option MAC address filtering turned on. If this option is off, the physical address object is ignored even if it is present in the host object's interface. This is because host objects created using the Network Discovery Druid ( Section 6.2 ) are often populated with both IP address and MAC address information (available through SNMP query), but inspection of MAC addresses is rarely needed. Use the MAC address filtering option in the host object to specify that you want the MAC address to be verified for the host.


The target firewall imposes certain restrictions on rules matching the MAC address. For example, only source MAC addresses can be matched. Firewall Builder is aware of these restrictions, and the policy compiler issues an error if a physical address object is used in a rule that would lead to an impossible iptables command.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.