[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 802.11 gateway/authpf
- To: Jason Dixon <jason@dixongroup.net>
- Subject: Re: 802.11 gateway/authpf
- From: "Sancho2k.net Lists" <lists@sancho2k.net>
- Date: Fri, 01 Aug 2003 07:18:11 -0600
- Cc: misc@openbsd.org
- References: <3F28914D.2090009@sancho2k.net> <1059666341.2789.27.camel@lappy.fuzzypenguin.net>
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
Jason Dixon wrote:
> Here's my not-so-brief solution to "safely" adding 802.11b traffic to an
> existing wired segment:
> Bridge fxp2 to fxp1, allowing you to perform both layer 2 and 3
> filtering on the wireless traffic into your LAN and outside to the
> Internet. Using PF, require that all traffic crossing fxp2 is encrypted
> via IPsec. Then, you can do "normal" filtering on enc0, applying your
> typical rules/NAT/etc. Using a simple, 2-rule nat/no-nat configuration
> will also allow you to reflect traffic between fxp2 and fxp1.
Do you have some sample ruleset snippets reflecting this?
> Don't forget to use authpf as you mentioned. This will actually occur
> prior to the stuff I mentioned above. Initially, you'll only want to
> allow ssh and bootp requests from the wireless segment, then load up the
> custom rulesets on a per-user basis.
> You also mentioned WEP. While WEP is inherently weak, it's not a bad
> idea to use it with Windows clients. I've found that XP, for example,
> connects much easier to a wireless segment if it thinks it's "secure".
> Try it without WEP... even with IPsec enabled... and it's going to be a
> constant babysitting endeavor.
>
> Other things to consider would be to integrate transparent proxies and
> QoS. I won't go into it here, you've got enough to chew on. ;-)
The transparent proxy; oh yes. I would be fairly excited to do that.
QoS to accomplish what exactly?
>
> Sorry if I sound like I'm rambling, my head it tired. Bleh.
>
You're entitled.
DS