Hi,
My goal is to use OpenBSD to filter packets between my wireless
segment and my DMZ. I've protected my wireless with WEP but in the
long haul I'd like to be able to remove any authentication, WEP or WPA
from the wireless segment. My first question is this: This strategy
seemed to make sense a couple of years ago. Is there a better way to
go now?
If this is a reasonable way to go I have a question about how to
filter packets with pf in a bridged environment. I'd like to use a
bridge because it means the least amount of work for me with regard to
providing services to the wireless network (dhcp etc). In my
implementation I'm filtering at the interfaces. My machine has a quad
tulip card:
- de0 connects to the internet
- de1 connects to and has an ip address for my DMZ
- de2 connects to my wireless access point and has no ip
- bridge0 consists of interfaces de1 and de2
In my configuration I seem to be leaking packets from the bridge into
the kernel where they hit a keep state rule that allows their passage.
e.g. my simplified ruleset reads:
block in all
block out all
pass out on de0 from $my_network to any port 5222 flags S/SA keep
state
pass in on de1
pass out on de1
pass in on de2 proto tcp \
from $wireless_network \
to any port 993 flags S/SA keep state
When I test this I find that a client on the wireless network can go
to Google Talk (tcp port 5222) and the rule that allowed passage is:
pass in on de1
I'm obviously confused about the way packets pass through the bridge.
Any help would be appreciated. Please cc my address. I am subscribed
to the list and I do read it but it's slightly easier. I will post my
results to list for future Google searchers.
Thanks
-- Chris
--
Chris Hilton chris-at-vindaloo-dot-com
------------------------------------------------------------------------
"All I was doing was trying to get home from work!"
-- Rosa Parks
