[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 802.11 gateway/authpf

To: misc@openbsd.org
Subject: Re: 802.11 gateway/authpf
From: Jason Dixon <jason@dixongroup.net>
Date: 01 Aug 2003 09:20:11 -0400
Organization: DixonGroup Consulting
References: <3F28914D.2090009@sancho2k.net> <1059666341.2789.27.camel@lappy.fuzzypenguin.net> <3F2A6893.5050501@sancho2k.net>

On Fri, 2003-08-01 at 09:18, Sancho2k.net Lists wrote:
> Jason Dixon wrote:
> 
> > Here's my not-so-brief solution to "safely" adding 802.11b traffic to an
> > existing wired segment:
> > Bridge fxp2 to fxp1, allowing you to perform both layer 2 and 3
> > filtering on the wireless traffic into your LAN and outside to the
> > Internet.  Using PF, require that all traffic crossing fxp2 is encrypted
> > via IPsec.  Then, you can do "normal" filtering on enc0, applying your
> > typical rules/NAT/etc.  Using a simple, 2-rule nat/no-nat configuration
> > will also allow you to reflect traffic between fxp2 and fxp1.
> 
> Do you have some sample ruleset snippets reflecting this?

See below.

> > Don't forget to use authpf as you mentioned.  This will actually occur
> > prior to the stuff I mentioned above.  Initially, you'll only want to
> > allow ssh and bootp requests from the wireless segment, then load up the
> > custom rulesets on a per-user basis.
> > You also mentioned WEP.  While WEP is inherently weak, it's not a bad
> > idea to use it with Windows clients.  I've found that XP, for example,
> > connects much easier to a wireless segment if it thinks it's "secure". 
> > Try it without WEP... even with IPsec enabled... and it's going to be a
> > constant babysitting endeavor.
> > 
> > Other things to consider would be to integrate transparent proxies and
> > QoS.  I won't go into it here, you've got enough to chew on.  ;-)
> 
> The transparent proxy; oh yes. I would be fairly excited to do that.
> 
> QoS to accomplish what exactly?

Simple traffic shaping/quotas.

> > Sorry if I sound like I'm rambling, my head it tired.  Bleh.
> > 
> 
> You're entitled.

Gratsi.  :)

And some of the rule samples...

table <vpn> { 192.168.10.20, 192.168.10.21 } persist
...
nat on $int_if from $int_net to $int_net -> ($int_if)
no nat on $int_if from ($int_if) to $int_net
...
pass in quick on $int_if inet proto udp from <vpn> to ($int_if) port {
22, 67 } keep state
pass in quick on $int_if inet proto esp from <vpn> to ($int_if) keep
state
pass in quick on $int_if inet proto udp from <vpn> to ($int_if) port 500
keep state
...
block log on enc0
block in quick on $int_if from <vpn> to any
...
pass out on enc0 inet proto icmp all keep state
pass in on enc0 inet proto icmp from $int_net to any keep state
pass out on enc0 proto udp all keep state
pass in on enc0 proto udp from $int_net to any keep state
pass out on enc0 proto tcp all keep state
pass in on enc0 proto tcp from $int_net to any modulate state

-- 
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

References:
- Re: 802.11 gateway/authpf
  - From: "Sancho2k.net Lists" <lists@sancho2k.net>

Prev by Date: Re: 802.11 gateway/authpf
Next by Date: Re: apache, chroot, testing
Prev by thread: Re: 802.11 gateway/authpf
Next by thread: Java for OpenBSD
Index(es):
- Date
- Thread