How to create a List of Allowed MAC Addresses in Firewall

Hi All,

I’m hoping to recreate a function in IPFire that is available on some router software.

Q. Is there a way to create a List of ‘Allowed MAC Addresses’ in the IPFire Firewall, so that the Firewall automatically ‘Blocks All Connections’ for every other MAC Address that is Not included in the Allowed List?

Thanks,

Nanoh

Create a host group, after defining your allowed hosts by MAC.
Define FW rules:

  • allow host group
  • deny all
2 Likes

Thanks for the reply.

Unfortunately, I don’t understand how this is implemented in IPFire. I’ve reviewed the documentation and generally understand networking, however still don’t get this for IPFire.

Here’s what I’m trying to do:

Lets say I have the following 4 devices with MAC Addresses as follows:

a1:xx:xx:xx:xx:xx iPad
a2:xx:xx:xx:xx:xx iPhone
a3:xx:xx:xx:xx:xx NASarray
a4:xx:xx:xx:xx:xx Win11PC

I’d like to allow a1, a2, and a3 to be allocated an IP address on the GREEN network ie. the LAN side, and they can see each other on the LAN.

I’d like to allow a1, and a2, to connect to the RED network to obtain access to the Internet.

I want to block a3 from connecting to the RED network, so it can’t obtain access to the Internet, ie the WAN side.

I’d like to block a4 from getting any connection to the GREEN network at all, so it is fully rejected from connecting to the LAN.

So, the MACs for a1, a2, and a3 are in an ‘Allowed List’, and every other possible MAC address is rejected from connecting to the GREEN LAN.

Then the MACs a1, and a2, are permitted Internet access, but a3 is not.

I also want to fully Block all WAN side traffic from being able to establish a connection from the WAN side. Effectively, the IPFire firewall DROPS everything coming from the Internet and appears to be in ‘Stealth mode’ using GRC.com ShieldsUp terminology.

I also don’t understand the ordering of the Rules in IPFire and which rule takes precedence.

Thanks,

Nanoh

that is not possible if they are in the same zone.
have you thought about a red, green, blue configuration.
put a1, a2, a3 on blue. take advantage of built in mack filter.
a4 in green add rule to block access to green and red
a4 in Orange might b better. block access to red
could change default firewall to block.

I suppose a1 and a2 are wireless devices. Why are they in GREEN the wired network?

Normal behaviour for GREEN ( and BLUE ) in IPFire.

Firewall rule ( source:MAC, destination: network:red, deny ), best at position 1.

To get an IP a4 must connect to GREEN, supposed you have a green-red configuration.

Connection establishment from WAN is denied in IPFire by default.

The rules are just evaluated in the sequence displayed by the firewall WUI page.

BTW: Reading the docs ( wiki.ipfire.org ) helps, especially in the beginning of IPFire usgae. :wink:

1 Like

Thanks for the reply.
Using the network colors for logical separation/isolation is a good way to go. Thanks.

1 Like

Thanks for the reply

OK, it makes sense that a4 must connect to GREEN. I just need to figure out how to effectively put a4 into what amounts to ‘Solitary Confinement’, so it cannot see or do literally anything on the GREEN network, or RED network, or BLUE network, even though it has been assigned a valid IP.

I’d prefer to not even give a4 an IP, but that does not sound like an option.

In relation to the documentation, imho, the detailed text explanations on the firewall setups are OK, Edit: and I clearly have a lot more to read and understand with IPFire.

Thanks again.

You can put a4 in the Orange DMZ.
Fixed ip no gateway ip. Or block orange to red with firewall rule.

2 Likes

If you have a list with fine gradations that is planned with does or does not, and there are always more clients that you want to keep out than those that you want to let in, then it might be better to block everything and set permissions. At first glance, this sounds like a lot of work, but it makes maintenance a lot easier.

2 Likes