Re: OpenBSD 3.4: authpf problem

[Anthony Schlemmer <aschlemm@comcast.net>]

On Saturday 01 November 2003 22:40 pm, Magnus Bodin wrote:
> On Sat, Nov 01, 2003 at 03:52:27PM -0800, Anthony Schlemmer wrote:
> > access to all systems outside my network, and local access is
> > limited to name service and SSH on the gateway with all access
> > denied to the internal network on sis0 without being logged into
> > the gateway.
>
> Note that if your 'name service' that you offer to not authenticated
> users is really a resolver that looks up domain names served by
> external DNS servers, this is a potential hole of misuse. See
> <http://nstx.dereference.de> for a dns tunnel implementation that can
> be used for tunneling through DNS. If anyone is interested to use it
> in OpenBSD it needs some trivial patches.
>
> /magnus

This is for WIFI access in my own home and so the only people being 
offered service is myself and my wife. I know WIFI isn't very secure 
and it is fairly easy to crack a WEP key and spoof a MAC address. I 
still feel that since an unathenticated user is locked out of my 
internal network that this is a much better setup that what most people 
have. I think most people would simply plug their AP into their LAN's 
switch and hope that no one cracks their WEP key and spoofs a MAC 
address that's in their AP's filter list.

Most users don't even bother to disable SSID broadcasts on their AP's 
from what I've seen. Depending on the time of day I can take a site 
survey on my laptop from the comfort of my own home and I see no less 
than 3 other WIFI networks besides my own. Of those 3 other networks 
there's one that doesn't even have WEP enabled.

Tony

-- 
Anthony Schlemmer
aschlemm@comcast.net