



                            SafeFire Firewall

                               Version 1.2

              Copyright (C) 1999-2004 Link Guard Solutions Ltd.

                    MAC PACKET FILTER GUIDE AND REFERENCE



Contents

    1. Introduction
    2. General concepts
    3. Packet filter configuration
    4. Rule definition syntax



1. Introduction

    This document describes MAC Packet Filter feature of SafeFire Firewall.

    Short introduction into Ethernet protocol presented below should be
    considered as a starting point and further reading of more complete
    sources is highly recommended.

    The TCP/IP packets is transfered through the physical network by some
    channel-level protocol. One of this protocols is Ethernet (RFC894).
    Similar to TCP/IP, information transfered over Ethernet is presented in
    form of frames (packets). The format of the frame is:

     + --------------------+----------------+------+------------------+-----+
     | Destination address | Source Address | Type |      Data        | CRC |
     + --------------------+----------------+------+------------------+-----+
            6 bytes            6 bytes      2 bytes  46 - 1500 bytes  4 bytes

    Source and destination addresses are so-called hardware or MAC addresses
    of 6 bytes long. They must be unique for each Ethernet device and generally
    assigned by a manufacturer of the networking device, but are changeable by
    user. Usually the Ethernet network is divided into several segments and
    MAC addresses of the Ethernet frame are valid within one segment and when
    this frame to be delivered to another segment its MAC addresses will be
    changed by a switch connecting this segments. It is a very important to
    remember this thing when you create a rule for MAC filter. You can find MAC
    address of your net card in the 'physical address' field of the netstat -n
    output.

    Type is a two bytes long type of the packet which determines the structure
    and the size of the Data within the frame. The common Ethernet frame types
    are: 0x0800 - IP datagram, 0x0806 - ARP (28 bytes long + 18 pad bytes),
    0x0835 - RARP (28 bytes long + 18 pad bytes). The ARP protocol is intended
    for finding out the conformity between IP and MAC addresses and it is often
    used to intercept traffic by substituting wrong MAC address for some IP
    address. To find out current conformities between MAC and IP addresses on
    your OS/2 box use arp -a command.

    Refer to some TCP/IP book, like W. Richard Stevens TCP/IP Illustrated
    Vol.1, for further information.

2. General Concepts

    The MAC packet filter is the additional to Packet filter facility
    for protection of an network from illegal access. This filter is valid
    only within current LAN segment and can be used for prevent ARP attacks
    and IP address substitution.

    The main idea of the MAC packet filter is quite simple. Each packet, which
    is going through MAC packet filter has some specific information located in
    the packet header. MAC packet filter compares this information with so
    called 'rules' contained in special database. Each rule specifies set
    of matching parameters and declares an action (permit or deny).
    When an exact match is found the declared action is performed.

    Set of matching parameters can include:

        Source MAC and IP addresses
        Destination MAC and IP addresses
        Protocol type : [R]ARP, IP, ALL (which means ALL packets).
        Direction (incoming, outgoing or both)
        Special options (flags) for ARP packets

    One can also use external plugins to filter packets. If this case the
    SafeFire Firewall wont analyze these parameters and just call appropriate
    plugin function to determine whether to pass or drop the packet. To find
    more details about external plugins, see External Plugins Guide And Reference
    book.


3. MAC packet filter configuration

    MAC Packet Filter is configured independently through
    appropriate section in configuration file.
    Please, refer to Configuration Guide And Reference
    for details about other configuration parameters.

    The main idea of the MAC packet filter configuration is based
    on the the fact that by default packet filter rejects all packets.

    So, to enable particular service to pass firewall,
    it should match some rule with 'allow' policy.

    If there are no such rule then packet will be rejected.

    Each rule is one of the following types:

    I)
    allow   -+
    accept  -+
    permit  -+- allow packet matching rule

    II)
    reject  -+
    deny    -+
    drop    -+- drop packet matching rule

    III)
    count   --- do nothing with packet and search other matching rule

    IV)
    pipe <n> -- allow packet and send it via shaper pipe number <n>

    VI)
    plugin <n> - pass the packet to external plugin

    VII)
    skipto <n> - go to rule number <n>

    The plugin rules MUST not contain any other parameters besides the plugin
    number.

    Each rule has statistics associated with it. These statistics
    includes:

        1. number of packets matched rule
        2. total size in bytes of matching packets

    Every time packet matches the rule, rule statistics updated.

    Each rule has a number which is an identifier for add/remove
    operations. The order in which packet will be checked against rules
    also defined by this number. The rule with smaller number will be
    checked first. You can assign numbers manually or let a system
    assign numbers automatically.

    If you do not assign numbers manually, all rules will be added in order
    which they are defined in configuration file or otherwise added.



4. Rule definition syntax

    Each rule has the following syntax:

        [<number>] action [log] [protocol] [src] [dst] [direction] [extra]

    where

        [<number>]
            optional rule number


        action

            allow   -+
            accept  -+
            permit  -+- allow packet matching rule

            deny    -+
            reject  -+
            drop    -+- drop packet matching rule

            count   --- do nothing with packet and search other matching rule

            pipe <n> -- allow packet and send it via shaper pipe number <n>

            plugin <n> - pass the packet to external plugin number <n>.
                         when this action is specified there must be no other
                         parameters after plugin number <n>

            skipto <n> - go to rule number <n>

        [log]
            optional flag that tells packet filter to print some
            information about matching packet to the SYSLOG facility.


        protocol

            all    --- match all types of protocols

            arp    --- match [R]ARP packets only

            ip     --- match IP packets only

            protocol
            number --- match packets with specified protocol number


        source        information about origin of the packet
        destination   information about destination of the packet

            source and destination clauses uses similar syntax:

                keyword [!]macaddrdef[=[!]ipaddrdef] [req_match]

            where

                keyword

                    from --- source clause
                    to   --- destination clause


                [!]
                        optional flag that reverses meaning of address,
                        i.e. rule will be applied if packet has origin NOT
                        falling to address specified in this rule


                macaddrdef
                    defines mac address of the packet

                    macaddrdef has the following syntax:

                        {any|mac address}

                    where

                        any     --- packet can have any origin

                        mac address --- packet can have origin only specified
                                        mac address in form AA:BB:CC:DD:EE:FF

                    [=]
                        optional token that requires IP address inside the packet
                        to be matched following IP address definition.

                    ipaddrdef
                    defines ip address of the packet

                    ipaddrdef has the following syntax:

                        {any|ip|myip}

                        any     --- any ip address

                        ip      --- is IP address written in usual dot
                                    delimited form

                        myip    --- IP address of the interface which SafeFire
                                    Firewall is being run on

                [req_match]
                        optional flag that requires matching of MAC addresses in
                        packet header to the MAC addresses from [R]ARP packet if the
                        analyzing packet contains [R]ARP packet

                direction

                    direction is one of following:

                        in       --- match only incoming packets

                        out      --- match only outgoing packets

                        bidi     --- match incoming and outgoing packets

                extra

                    extra is one of following:

                        opt opt_number
                                 --- match packets with this abstract option.
                                     Currently it is recognized opt 1 which
                                     means [R]ARP request and opt 2 which
                                     means [R]ARP response for [R]ARP packets.

EOF

