macf command (addresses mapping)
Description
The command performs filtering by use static mapping of IP addresses to MAC addresses in an Ethernet network. It may be useful for service providers when they connect to their network a group of clients (such as individual users in an apartment block) via one common access unit. In this case, clients may be tempted to change their IP address to that of a neighbor, thus deceiving provider's accounting system. Using of "macf" command does not guarantee total protection, however, for the common user it is much more difficult to change the MAC address, than the IP address.
Syntax:
Parameters
IFNAME
An interface identifier to the mapping table of which the filter is added.
{MAC|"any"} {IP|"any"} "Comment"
Adds the filter to the mapping table.
"MAC" – device MAC address.
"IP" – IP address assigned to the device.
"any" – any MAC or IP address.
"Comment" – symbolic comment for ease identification.
NOTE
Two filters with the same MAC addresses can not be added to the table.
del N
Removes the filter with "N" number from the mapping table. Filter number can be checked using the "show" parameter.
{[-]dhcp [-]strict | [-]reverse | [-]simple | [-]quiet}
Allows to select packets filtering mode. "[-]" – cancels the parameter's action. The MAC filter algorithm consists of two steps:
The filter searches for the MAC address in the table.
If the MAC address is found, the IP address matching check is performed.
"strict" – enables strict filtering mode. In this mode all packets received from units not described in the mapping table are discarded. By default "strict" mode is disabled.
CAUTION
If you are remotely configuring a router using telnet, make sure, when enabling the strict mode, that your own workstation is already added correctly in the mapping table. Otherwise you lose control over the router, and disabling the strict mode will be only possible through the router's diagnostics port.
"reverse" – swaps the processing steps: first, an IP address is searched, then the MAC addresses are compared.
"simple" – only the first step of the above algorithm is executed. If the address is found in the mapping table, then the packet is normally handled by the router. Otherwise, the packet will be discarded, regardless of whether the "strict" option is enabled or not (the second address is not checked).
"dhcp" – in this mode macf filter is automatically supplemented with addresses issued by local DHCP server. These records are not stored in a permanent configuration and work until the given address is deleted by DHCP server.
"quiet" – switches off logging to the system log. If the network packet is discarded by a filter, this fact is logged. To reduce the number of registrated packages, only the first attempt from the similar packets group is logged.
If there is an intermediate router between the subscriber terminal and the local network, "reverse strict" or "reverse simple" can be used with all valid workstations IP addresses, and the intermediate router MAC address.
In case, the several local networks are connected to the subscriber terminal, separated by intermediate routers, it is possible to use "simple" or "reverse strict" with intermediate routers MAC addresses.
NOTE
In many cases, this problem can be solved easier by using the "arp" command.
show
Displays the mapping table current state.
clear
Clears the mapping table.
Examples
Add two filters to the mapping table: to "102030405060" and "203040506070" MAC addresses are assigned "1.1.1.1" and "2.2.2.2" IP addresses. Add comments to label the IP addresses ownership.
Display the mapping table current state.
All local network workstations are connected directly to the subscriber terminal "eth0" interface. In this case, simplest filter version can be used, with the "strict" parameter.
Last updated