OpenBSD
introduced HostAP
-mode functionality in Version
3.1. As with FreeBSD, the support comes native in the core operating
system and not through a piece of third-party software. The FreeBSD
and OpenBSD projects share a great deal of wireless code, and the
HostAP
functionality is no exception. Generally,
the same capabilities that exist in FreeBSD exist in OpenBSD as well.
When setting up an OpenBSD access point, you should start out with a stripped-down and secured kernel. For a discussion on compiling a locked-down OpenBSD kernel, see Section 6.2. There should be little difference between a client kernel and an access-point kernel. Both devices are in vulnerable locations on the network and should be treated the same.
At this time,
HostAP
mode is only available on Prism-based
cards. Be sure you are using a Prism card and that you have the Prism
driver (wi
) compiled into your kernel. This
section describes how to make a bridging access point. This will
allow devices on the wired and wireless side of the access point to
be in the same broadcast domain. Most firmware-based access points
work this way and provide flexibility in your network configuration.
You must compile bridging support into your kernel by adding the
following line to your global configuration file:
pseudo-device bridge 2 #network bridging support
The number following the bridge device indicates the number of possible bridges the host will be able to configure. For a standard configuration, two bridge devices should be fine. For larger or more complex installations, you may require more.
Once your kernel is configured properly, there are several different
ways you can configure HostAP
mode. The
wicontrol
utility provides a robust and complete
interface to the configuration of the access point. The
ifconfig
utility, while slightly less
functional, provides unified control of both layer 2 and layer 3
configuration parameters.
The
wicontrol
utility takes the following parameters
for HostAP
mode:
interface
This specifies the interface wicontrol
is to act
on. If no interface is specified, wicontrol
will
configure the wi0
interface.
-p
port type
This parameter specifies the mode of network to join or create. To
activate HostAP
mode on your card, use port type
6
. The word hostap
can be used
interchangeably with 6
to make the command more
readable.
-n
network name
This is the SSID your access point will be configured with. This is the SSID string stations must use to connect to your access point.
-k
key [-v 1|2|3|4 ]
This parameter controls the various WEP key used by stations to
authenticate and encrypt traffic to your access point.
key
can be entered either as decimal (e.g.,
secrt
) or as hexadecimal (e.g.,
0x0123456789
). The numbers following the key
indicate which key index the specified key should be placed in. The
WEP specification allows for four different keys to be stored for use
in various key rotation strategies. If the -v
flag
is not specified, the first index is assumed.
-e
0|1
Your access point can force stations to use WEP for authentication and data integrity by setting the -e flag to 1. If this parameter is set to 0, WEP is not required.
This is not a complete list of all of the commands
wicontrol
understands in
HostAP
mode. For a complete description, see the
wicontrol
manual page.
If you prefer the unified
interface of ifconfig
, the following parameters
are relevant to HostAP
mode:
interface
This is the interface ifconfig
will operate on.
The first Prism-based interface in the machine is known as
wi0
.
nwid
ssid
This is the name of the service set to create. The value specified here is the SSID stations will use to connect to your access point.
nwkey
key
This is the WEP key the access point will use to encrypt traffic to
associated stations. key
can be entered either as
decimal (e.g., secrt
) or as hexadecimal (e.g.,
0x0123456789
). If this value is not specified, the
access point will not allow WEP connections.
mediaopt
hostap
This parameter causes the card to enter access-point mode.
As of OpenBSD 3.1, ifconfig
has limited wireless
functionality. In order to make use of more advanced features such as
WEP key rotation, power savings, and channel allocation, you must use
wicontrol
.
Configuring the access point by hand
after each boot is unlikely to be your preferred administration
mechanism. There are several startup files you can modify to start
HostAP
mode at boot time and bridge your wired
and wireless interfaces together.
OpenBSD makes use of
/etc/hostname.<interface>
files to
configure each interface in the box. These files contain specific
information regarding the interface’s configuration
as well as any arbitrary commands you wish to execute when the
interface is brought online. For a complete discussion of the
structure of these files, see the hostname.if
manual page.
First, bring the wireless interface up in HostAP
mode. Do not assign an IP address to the wireless interface. For this
example, we are configuring an access point to run on channel 6 with
an SSID of Example:
# /etc/hostname.wi0 up nwid Example mediaopt hostap !wicontrol $if -f 6
Next, bring up the wired interface on sis0
. We
will assign an IP to this interface and setup a default route. Note
that for the IP address we must specify the IP address, the netmask,
and the broadcast address:
# /etc/hostname.sis0 inet 192.168.0.2 255.255.255.0 192.168.0.255 !route add default 192.168.0.1
Finally, we must bring up the bridge interface. Like individual
interfaces, bridges are controlled through files in
/etc
. The first bridge group is identified as
bridgename.bridge0
, the second is
bridgename.bridge1
, etc. The
hostname.if
manual page also contains
information on the bridgename files. In order for the bridge to
function, we must add both the wired and wireless interfaces and then
bring the bridge group up. The following lines are passed to
brconfig
at boot time:
# /etc/bridgename.bridge0 add wi0 add sis0 up
Reboot your machine, and you should have a bridging access point. If the access point does not work as expected, examine your log files.
Now that you have a functioning access point, you should take steps to secure the access point and the network itself. By using the packet filtering firewall that comes with OpenBSD and MAC address filtering in the bridge interface, you can restrict access to your network and network devices.
A bridge is designed to allow all traffic between the bridged interfaces. The packet filtering firewall can sit in between the interfaces and remove hostile traffic. You may or may not decide to have the access point enforce a network security policy, but at the very least you should configure your firewall to protect the IP address of the access point itself. The following configuration file will allow all traffic through the access point but restrict access to the access point itself to SSH connections from a trusted host on the wired network:
# Simple access point pf.conf # Wireless interface oif = "wi0" # Wired interface eif = "sis0" enet = "192.168.0.0" emask = "255.255.255.0" eip = "192.168.0.2" # allow by default because this is a bridge pass in all pass out all # allow localhost traffic pass in quick on lo0 all pass out quick on lo0 all # protect self block in inet from any to $eip # pass ssh traffic for management from a trusted host that arrives on the # wired network pass in quick on $eif inet proto tcp from 192.168.0.11 to $eip port = 22 flags S/SA keep state
Allowing management of the access point from the wireless network can be very dangerous. If possible, limit the management functions to the wired network.
You can
also limit the MAC addresses allowed to communicate on the network.
This is useful for attempting to control rogue wireless clients and
rogue wired gateways. The brconfig
utility
provides functionality to control which MAC addresses can communicate
across member interfaces in the bridge group. In a standard network,
the gateway will be the only MAC address on the wired side. That
should be the only source MAC address in packets received on the
wired interface. Ideally, you will also know the MAC addresses of the
stations on your wireless network so it can filter on source MAC
addresses on the wireless interface.
The following is a bridgename.bridge0
file that
filters gateway and station MAC addresses:
# /etc/bridgename.bridge0 # Gateway has MAC address of 1:1:1:1:1:1 # clients have MAC addresses of 2:2:2:2:2:1 and 2:2:2:2:2:2 add sis0 add wi0 up # allow gateway traffic in on wired network rule pass in on sis0 src 1:1:1:1:1:1 # allow station traffic in on wireless network rule pass in on wi0 src 2:2:2:2:2:1 rule pass in on wi0 src 2:2:2:2:2:2 # block everything else rule block in on sis0 rule block in on wi0
If you prefer not to list all of the MAC filtering rules in the
bridgename.bridge0
file, you can create a
separate file with the ruleset
and use
brconfig
to process it. The following file will
enforce the same policy as listed in the previous
bridgename.bridge0
. The file can be saved to any
convenient location:
# Example /etc/bridge.rules in on sis0 src 1:1:1:1:1:1 pass in on wi0 src 2:2:2:2:2:1 pass in on wi0 src 2:2:2:2:2:2 block in on sis0 block in on wi0
Use brconfig
to load the
ruleset
for the bridge0
interface by issuing the following command:
# brconfig bridge0 rulefile testbridge
3.17.74.227