Variable in Block MAC Address

RSHARM · April 14, 2023, 8:19am

To block Specific OUI
use wildcard character for Mac Address allow list ?
Example - Allow all except - F8:10:93:::**
for example A3:2X:BC where X can be anything
A3:Y4:E2 where Y can be e,2,A,c

lleachii · April 14, 2023, 9:03pm

On wireless?
On firewall?
Etc.?

jow · April 15, 2023, 7:23am

Neither iptables or nftables (firewall), nor hostapd (wireless mac lists) support wildcard matching, which makes this feature request unimplementable.

nvladimirov · April 19, 2023, 1:58pm

Did you try with arptables? Or the idea is to have it in the web interface?

This is from the man page:

-z, --source-hw [!] hwaddr[mask]
Specify the source hardware (MAC) address of the packet. hwaddr (and mask, if specified) must consist of one or more 8-bit hexidecimal numbers, separated by ':' characters. If the mask is not specified, it defaults to a number of 0xff octets equal to the length of the hwaddr specified, then 0s. The flags --source-mac , --src-hw , and --src-mac are aliases for this option.

The same is applicable to arptables-nft as well.

JustAnotherEndUser · May 29, 2023, 5:08pm

nvladimirov's reply above looks very promising.

Since you specifically mentioned blocking by OUI though, are you are looking for a NAC type solution such as what Cisco / ISE offers? ( ability to profile based on OUI and categorize as "Nortel Device, etc. ). If you are looking actually looking for a NAC-type solution PacketFence is a free / open source option you could integrate on a separate system.

If all you want do is block a a few OUI ranges though, maybe another option would be to request this as an enhancement to the existing BanIP package. BanIP (maintained by @dibdot ) is already designed to block ranges of IPs and has ability to block a manual list of specific MAC addresses. Perhaps it could be modified to use MAC ranges also.
For more info:

github.com

openwrt/packages/blob/master/net/banip/files/README.md

<!-- markdownlint-disable -->

# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables

## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.  

## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).  
  **Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.  

| Feed                | Focus                          | WAN-INP | WAN-FWD | LAN-FWD | Information                                                   |
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :-----------------------------------------------------------  |
| adaway              | adaway IPs                     |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
| adguard             | adguard IPs                    |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
| adguardtrackers     | adguardtracker IPs             |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
| antipopads          | antipopads IPs                 |         |         |    x    | [Link](https://github.com/dibdot/banIP-IP-blocklists)         |
| asn                 | ASN IPs                        |         |         |    x    | [Link](https://asn.ipinfo.app)                                |
| backscatterer       | backscatterer IPs              |    x    |    x    |         | [Link](https://www.uceprotect.net/en/index.php)               |
| bogon               | bogon prefixes                 |    x    |    x    |         | [Link](https://team-cymru.com)                                |

This file has been truncated. show original

professor_jonny · June 10, 2023, 11:08am

Hi I can understand your use case as it would be handy.
I was trying to redirect/ block devices that use random MAC addresses conforming to RFC7042 by the IEFT.

There is other use cased for wildcard mac addresses listed in standards.

wild card on 48bit mac identifiers to a single word match could mean a list with 2⁴⁴ of a total list of 2⁴⁸ entries in reality.
ipset for example needs to match only from current hosts attached to the interface creating a file full of mac addresses is unrealistic.

I have tried to put in a request at the netfilter site for ipset but registrations are blocked and I have had no reply to registration.

dibdot · June 12, 2023, 4:55pm

That should be doable...stay tuned.

Edit: banIP-0.8.8 now supports MAC-ranges

professor_jonny · June 12, 2023, 8:01pm

I don't know if someone can request this of the netfilter people, I have tried.
OUI and Random mac address filtering sounds like a good idea.
With concerns of hardware with embeded spy capibilities it would be a great option to block such devices.

lleachii · June 12, 2023, 8:37pm

The spy device could simply use another MAC.

Random blocking?

professor_jonny · June 13, 2023, 12:49am

Modern devices that connect to wifi can display their hardware MAC address or use Random mac addresses to reduce a privacy risk's and tracking of clients, this is actually standardized so one can detect them based on their MAC address bits in the prefix.

Random MAC

lleachii · June 13, 2023, 1:06am

Yes I understand that, but how would you block it then - if it's random?

Are you asking to block all random MACs?

slh · June 13, 2023, 1:23am

What you're explaining is indeed convention, but nothing (can) enforces it - there's no problem to cycle through 'real' MAC addresses randomly, without setting the bit.

professor_jonny · June 13, 2023, 4:15am

Yes if devices attatch to the network with a random MAC address they could be blocked or actions preformed like a sandbox them to specific resources.

yes but consumer devices Iphones andriod devices conform to those standards.
it will force users to run with hardware mac or pose restrictions.
It is not perfect but is a idea

slh · June 13, 2023, 4:20am

…just from a 5s search (first result, without digging any deeper).

Windows (on your desktop or notebook) will allow the same directly (the same goes for linux, no idea about MacOS/ iOS).

professor_jonny · June 13, 2023, 5:06am

Requires root an busybox a consumer device.generally would not have that.

lleachii · June 13, 2023, 2:09pm

I don't understand the point of the comment. Security thru obscurity (or trying to secure based on such methods) is usually frowned upon.

It seems to me, you'd always be adding new MAC combinations - 'til eventuality you blocked all OUIs.

Suggestion - just don't use WiFi (not being facetious, just offering a thought exercise regarding the feasibility of blocking all OUIs - to the point-of-the-absurd).

professor_jonny · June 13, 2023, 3:11pm

security through obsecurity can be used as a complementary solution alongside other methods but it can be a goot tol to under stand and manage things better in this case.

Some of the OUI are for example associated with vmware virtual servers, particular hardware, specific manufactures etc.
I can potentially use this sure it is not 100% fool proof but it is a tool.

Blocking random mac forces devices to use hardware MAC addresses and with apple devices for example I can then see dhcp hostnames and better manage my network.

Even if i dont use it as a blocking method I can still uses it to sort out traffic and understand it better.

krazeh · June 13, 2023, 3:23pm

Are you in the habit of allowing any and all devices to just connect to your network?

Blocking MAC addresses seems like using a sledgehammer to crack a nut. Disabling random MAC addresses isn't an automatic thing a device does if it can't connect, you still need to go and manually change that. And for devices that you don't control you can just as easily set up guest networks to limit their access to any trusted resources.

professor_jonny · June 13, 2023, 9:07pm

You are right I'm not denying that but I plan to use it as a means of less intervention on my home network.
I don't want to block family member who may turn up at my house and attatch to my wifi just push them to a kids_lan if they use a random mac which is the default now on android and apple devices when attaching to a new network.
If they use a hardware mac It will allow them adult lan access except for specific known kids devices on the list of deny.

You can imagine my kids thinking forcing hardware mac is allowing them adult access but in reality, it is imposing restrictions.

My alternative is to only specific macs on the adults lan which requires more intervention and creating rules.

We are now in a world of flippers and other such devices that can eavesdrop WIFI passwords by creating fake networks, cellphones and apps can display QR codes to share wifi passwords for enterprise WIFI the list goes on...

krazeh · June 13, 2023, 9:17pm

There's another alternative of just creating a guest network for guests to use. Doesn't require convoluted attempts to block random MAC addresses or any repeated intervention/rule changes. The concept of using MAC addresses for any sort of network security is just not a good one.