The Jetman wrote:
> erik <erik@geenspam.vanwesten.net> wrote in message
> news:<3f077873$0$49106$e4fe514c@news.xs4all.nl>...
>> The Jetman wrote:
>>
>> > I just set up my 1st OBSD system and am making slow and steady
>> > progress
>> > getting it together, but I'd like a simple question answered: can
>> > OpenBSD be a NATing router *AND* a MAC filter simultaneously, based
>> > on the baseline
>> > distro ?
>>
>> No, unless you adopt static routing.
>>
>
> Maybe, I'm dumb, but I don't see what you're talking about in any
> search I've done on Google or any other search engine. Hell, there's
> damn little on the subject of MAC filtering via BSD, even though
> the various implementations seem to be well-suited to the job.
Set up static routing with arp. man arp. _You_ tell in a static way
which ip belongs to a mac address. Seems to me as a _very_ strict mac
filter. ;-)
This is what I did on my wireless gateway:
[blackhole] /etc # cat hostname.wi0
inet 192.168.1.1 255.255.255.0 NONE
!ifconfig wi0 nwid freenet nwkey 0xwouldntyouliketoknow mediaopt hostap
!ifconfig enc0 up
!wicontrol -A 2
!arp -s 192.168.1.9 00:12:34:56:78:90 static
Now I have double 'security' (wep and mac). However, the real security
is created by only allowing an ipsec tunnel in. That takes care of
eavesdropping in an effective way. It also clears the final
second-thoughts about wireless security. I don't see normal persons
break 128 bits aes encryption that fast. <g>
>
> My own experiments reveal MAC filtering is only possible if the
> host is a bridge and NATing is only available on a gateway/router.
> Can you confirm or deny this, based on your own experiences ?
Does the above answer your question?
>
>> > I ask bec I *believe* one needs two machines to achieve the
>> > same
>> > result w/ FreeBSD. That is, I can filter MACs if my test machine
>> > is a bridge, but I also need a NATing router, which doesn't seem to
>> > work until I switch to gateway mode.
>>
>> No. Why on earth do want such a useless, needlessly complex setup?
>>
>
> Again, I don't grok what you're referring to at all. I'm on a team
> doing a wireless ISP install for a Fortune 500 corp's sites, so I
> understand a bit
> about the subject.
That is _not_ a qualifier. I've worked for a fortune 500 company as
well, and I cannot say that the networking department in general was
_that_ competent. They were good a providing network access. Not at
securing it...
> My corp client is using RADIUS authentication via
> a local, Linux based AP, to give its wireless clients Internet access.
> However, once the system is fully operational, my corp client will
> have an external authentication service provider, gate public Internet
> access to its clients.
So, if it is public, why the worry?
>
> I normally work in a store, where MAC filtering *could* do the trick
> (here wireless clients are fewer and far between.)
Again: _which_ trick?
> I can get my FBSD
> box to do MAC filtering (to limit LAN access), but I *apparently* need
> an entirely different host, NATing wireless clients to the public
> Internet,
> via a single public IP. This is essentially the same as my corporate
> client, except I'd like to use manual authentication via MAC addresses
> and they've opted for an automatic, authentication server.
>
I still fail to see why you need mac authentication. If you really need
it, stay with linux. That is for sure capable of taking care of it.
(Have a look at shorewall,
www.shorewall.net where filtering is taken
to a higher abstraction layer that plain iptables).
> Consequently, I don't grok your comment: 'Why on earth do want such a
> useless, needlessly complex setup?'
As mentioned above, I fail to see your need for mac authentication.
Try to explain _why_ you would need mac filtering? OTOH always remember
that sniffing shows mac addresses. And guess what? I can program _that_
mac address in _my_ computer. It _does_ _not_ _help_ _to_ _protect_
you. Properly confgured vpn's do.
HTH,
EJ
--
Remove the obvious part (including the dot) for my email address