About the machine managment

Cisqo_Timoteo · November 7, 2019, 10:07am

Hey Nethservers, thanks for the opportunity, i just got know about the NethServer 7.7 today and i am downloading the ISO to install, I am excited about all the features that i have read already but i do not know because i didnt see about the machine managment, and machine groups, wich allow me to creat a range of network machines and manage them with MAC address restriction just for the security of network access. Thanks I hope it is not a mediocre doubt because I have not installed it yet or looked for this particularity, but if I want to leave the server I use to switch to nethserver I really need to know if this feature exist, or something that can help me with.

Best regards

m.traeumner · November 7, 2019, 1:10pm

Hi @Cisqo_Timoteo,
welcome to the community.
You can manage the samba server from a windows PC with RSAT tools. Here you can build groups, but I don’t know how to use the computer groups with firewall rules. Perhaps @support_team can help more.

flatspin · November 7, 2019, 2:02pm

Restriction about what services do want to manage?
Squid, Samba, DHCP,…?

Cisqo_Timoteo · November 7, 2019, 2:45pm

Hi @flatspin thanks for the support, i need this for proxy and DHCP service.

Cisqo_Timoteo · November 7, 2019, 2:50pm

Hi, @m.traeumner thanks for the support it is a good idea i will see what i can do. thanks.

dnutan · November 7, 2019, 3:08pm

You can do DHCP IP reservation and set how the firewall should behave based on MAC validation.
firewall-settings-mac-validation

Check some info from the docs:

Firewall — NethServer 7 Final

IP/MAC binding

When the system is acting as DHCP server, the firewall can use the list of DHCP reservations to strictly check all traffic generated from hosts inside local networks. When IP/MAC binding is enabled, the administrator will choose what policy will be applied to hosts without a DHCP reservation. The common use is to allow traffic only from known hosts and block all other traffic. In this case, hosts without a reservation will not be able to access the firewall nor the external network.

nethserver-firewall-base — NethServer 7 documentation

IP/MAC binding

When MACValidation option is enabled, the firewall analyzes all the traffic based on a well-known list of IPs associated to MAC addresses. If the host generating the traffic is not inside the list, MACValidationPolicy will be applied. The list of IP/MAC association is created from DHCP reservations.

Thus, enabling MACValidation and leaving MACValidationPolicy set to drop, will block all traffic from hosts without a DHCP reservation.

https://docs.nethserver.org/en/latest/firewall2.html#settings

flatspin · November 7, 2019, 3:28pm

For DHCP there is another possible way with a dnsmasq option dhcp-ignore=tag:!known.

You can create a template-custom in /etc/e-smith/templates-custom/etc/dnsmasq.conf with

cat > /etc/e-smith/templates-custom/etc/dnsmasq.conf/33mac.filtering  <<  EOL

# 33 mac-filtering
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
  dhcp-ignore=tag:!known


EOL

(be aware that dnsmasq.conf is a directory)

then expand-template /etc/dnsmasq.conf and systemctl restart dnsmasq

With the file /etc/ethers you can controll mac-adresses

For details see:
https://linux.die.net/man/5/ethers
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

Cisqo_Timoteo · November 8, 2019, 7:20pm

Hi, @dnutan thanks for the support…i will see if it works