Just an thinking about MAC ACL

Community
1

MAC Access Control List for Admin login and for green network

I know that can be realized by firewall rules and port … I’m experimenting with that at next days.
It is just an thinking if anyone had same idea and work at an solution.

  • For an more secure administration admitted access. Adding a enable option to an MAC list for who is allowed, to access IPFire UI or UI port by green and blue, from local network or over VPN network.
    Distant suspicion, it is a way to harden access, not nearly of the idea of 2FA … but once by an right MAC that match the list and the other by PWD.
    Anyway maybe in future, the web interface will allow an two level password authentication, or an two password login, or sending mail with an code access.

  • For eth green as it is at eth blue under (Firewall / Blue Access “Devices on BLUE”) there we can give access for devices MAC address.
    I recognized my foxy child using eth green network secretly over an cable, after blue use time window was expired at 22:00h.
    Now the MACs are in the time list for green too. But!
    The other matter I found is the auto MAC address generator there the device own … Therefore it make sense to have an MAC allow list for green access too.

BR
Trash

2

That is not an easy thing to do as the login is done via an apache VirtualHost definition.

I don’t know if it is being considered or not for IPFire3.x but I can’t imagine it will be done for IPFire 2.x because a pretty significant code re-write would be needed.

The existing Virtual Host definition is in the following link in the IPFire git repository:-
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/httpd/vhosts.d/ipfire-interface-ssl.conf;hb=9797af30061946db16ab7bbca1635865d9318336

On IPFire the location of the virtualhosts is

/etc/httpd/conf/vhosts.d/

3

@bonnietwin
Many thanks for the info.
And many thanks for the “Domain Name suffix” correction at wiki.

BR
Trash

1 Like