I try to avoid nat unless there's a good reason to use it (like me
being to cheap to pay for 8 addresses at home) so I'm going to assume
that you're using real (not rfc1918) address space. It complicates
this sort of setup, but only slightly. This is based on lessons
learned running an authenticated, vpn-able wireless net.
First off, get a chunk of network to be used for wireless. It should
be obvious that you don't want your wireless and wired nets to be
bridged. Unless the wired and wireless space is a totally free-for-all
public access area already littered with compromised virus run-time
platforms...
Then, configure a machine as the typical internet gateway - routing,
dhcp, possibly a DNS cache, possibly a web cache... While thinking
about setting up caches, be sure to read up on cache poisoning, and
tunneling IP through DNS requests. You'll probably want to set a
fairly short lease time in dhcp to cope with people who just wander
off or suspend their laptops without releasing their IP addresses. Pay
attention to authpf(8), especially the part about how to set up sshd.
Set up PF to deal with unauthenticated and/or unprotected connections.
We disallow unauthenticated traffic, and allow "harmless" services
without a vpn and everything with a vpn. Harmless is http (our users
are pretty good about not exposing their local passwords over http),
anonymous ftp (as enforced by ftp-proxy), ssh, chat services and
ssl(pop,imap,http,smtp). And IKE/IPSec. That makes 90% of what people
want easily available: web surfing, webmail and fat client email.
You'll want to learn about filtering on the enc(4) interface. Here's
where you do want to make use of nat: use rdr to snarf unauthenticated
http and redirect it into a local webserver that explains the rules
and procedures for network access.
We've found it useful to make syslog to keep authpf logs in
/var/log/authpf, and keep authpf and pf logs for at least 30 days,
rotated at midnight. It makes abuse investigations a bit quicker when
you know where to look for logs.
Set up isakmpd to allow aggressive mode connections. There are a
number of pages up that give example isakmpd.conf files for aggressive
mode that interoperates with windows (I assume you'll have lots of
windows laptops). See www.allard.nu/openbsd
Now you can hook authpf into pf.conf. You can either refer to the
authpf_users table and do something like this:
no rdr from <authpf_users>
pass in log quick on $int_if from <authpf_users> keep state
or use the anchors.
rdr-anchor "authpf/*"
nat-anchor "authpf/*"
binat-anchor "authpf/*"
# your ruleset here
anchor "authpf/*"
Under load (>200 simultaneous users) you'll probably have better
results using the table method. That's what we're doing on our
wireless gateway.
Things to read: httpd(8), named(8), dhcpd(8), pfctl(8), authpf(8),
sshd(8), newsyslog(8), syslog.conf(5), isakmpd(8) ... and the pages
they reference.
On 1/24/06, Didier Wiroth <[EMAIL PROTECTED]> wrote:
> hello,
> I've read man ipsec and vpn. Unfortunately I'm totally new to ipsec and have
> no ipsec experience.
>
> I'm looking for tutorials with samples, URLs or anything else, where I can
> find additional info on how to secure wifi networks with openbsd's: ipsec and
> authpf.
>
> In advance, many thanks for any kind of help!!!
> Best regards
> Didier
>
> ------------------------------------------------------------------------------------------------------
> Ministry of Higher Education
> CEDIES
> rte d'Esch, 211
> L-1471 Luxembourg
> Tel: (+352) 478-8669
> Fax: (+352) 455656
>
> Pgp key:
> http://www.cedies.public.lu/pgp-keys/
> ------------------------------------------------------------------------------------------------------
>
>
--
GDB has a 'break' feature; why doesn't it have 'fix' too?
