Re: How to prevent an interface from sending packets with its own hardware address?

On 28. May 2025, at 23:03, Stuart Henderson <stu.lists@spacehopper.org> wrote:

On 2025-05-27, Heinrich Rebehn <Heinrich.Rebehn@rebehn.net> wrote:

Hello all,

The question may sound weird, but here is my situation:

I have a (Linux) PBX (FreePBX) that I want to protect with an OpenBSD firewall since I am not familiar with Linux' builtin firewall and also I would like to separate things.

I also would like to avoid routing / NAT on the firewall, which leads me to using a transparent filtering bridge.

When experimenting with such a setup on my rented VMWare ESXi host, I immediately got an abuse email from my hoster, complaining the use of unauthorised MAC addresses.
The reason is:
When I order an additional IP address for my PBX VM, I am provided a defined MAC address which I have to configure on the VM. I am not allowed to use any other MAC.

Surely you still need access to update/manage the firewall?

Seems the simplest solution might be to order an additional address to
use on it, and configure that MAC address via 'lladdr'. (The VM host may
need to be configured to allow using a non-default MAC).

Management could be done via the virtual console (24 lines only, no scrolling). My thought was to use a third interface, not bridge member, connected to private lan and routed to the internet for management and update.

But your proposal is even better and I will spend the additional €€ on that :-). No worries about alien MACs.

No need to configure MAC via 'lladr'. The MAC will be entered on the ESXi management web page.

My setup:

+--------------------------+    +--------------------------+   +----------------+
| PBX (using provided MAC) |----| OpenBSD filtering bridge |---| hoster's router|
+--------------------------+    +--------------------------+   +----------------+
                               |                          |
                               |                          |
                              VMX1                      VMX0 with 'alien' MAC address


The challenge: How do I prevent my firewall's VMX0 interface from sending any packet using any other than the provided MAC address.

Things that I already considered:
- When acting as a bridge, packets from PBX should be forwarded with original MAC
- IP forwarding is disabled, net.inet.ip.forwarding=0
- VMX0 and VMX1 are only configured as UP (no IP address)
- The bridge is configured as:
  up
  add vmx0
  add vmx1
  blocknonip vmx0
  blocknonip vmx1
  -autoedge vmx0
  -autoedge vmx1
  -edge vmx0
  -edge vmx1
- /etc/pf.conf:
  set skip on lo
  block drop out quick log on vmx0 from self to any
  block drop in quick log on vmx0 from any to self
  block drop log
  pass # No filtering done ATM


Anything else that needs to be considered?

the initial temporary PF ruleset in /etc/rc does allow some packets,
though you maybe ok if the interfaces have no address configured.
try it with a vm with a network interface plumbed through to another
vm where you can watch with tcpdump.

bios/uefi may send packets in some circumstances e.g. pxe

Did not think about pxe. But with your above proposal it would use a legit MAC!

Thank you!

PS: If you consider this whole setup insane, I am open for better solutions :-)

Thanks for any help,

Heinrich

-- 
Please keep replies on the mailing list.