OpenBSD
introduced HostAP-mode functionality in Version
3.1. As with FreeBSD, the support comes native in the core operating
system and not through a piece of third-party software. The FreeBSD
and OpenBSD projects share a great deal of wireless code, and the
HostAP functionality is no exception. Generally,
the same capabilities that exist in FreeBSD exist in OpenBSD as well.
When setting up an OpenBSD access point, you should start out with a stripped-down and secured kernel. For a discussion on compiling a locked-down OpenBSD kernel, see Section 6.2. There should be little difference between a client kernel and an access-point kernel. Both devices are in vulnerable locations on the network and should be treated the same.
At this time,
HostAP mode is only available on Prism-based
cards. Be sure you are using a Prism card and that you have the Prism
driver (wi) compiled into your kernel. This
section describes how to make a bridging access point. This will
allow devices on the wired and wireless side of the access point to
be in the same broadcast domain. Most firmware-based access points
work this way and provide flexibility in your network configuration.
You must compile bridging support into your kernel by adding the
following line to your global configuration file:
pseudo-device bridge 2 #network bridging support
The number following the bridge device indicates the number of possible bridges the host will be able to configure. For a standard configuration, two bridge devices should be fine. For larger or more complex installations, you may require more.
Once your kernel is configured properly, there are several different
ways you can configure HostAP mode. The
wicontrol utility provides a robust and complete
interface to the configuration of the access point. The
ifconfig utility, while slightly less
functional, provides unified control of both layer 2 and layer 3
configuration parameters.
The
wicontrol utility takes the following parameters
for HostAP mode:
-
interface This specifies the interface
wicontrolis to act on. If no interface is specified,wicontrolwill configure thewi0interface.-
-pport type This parameter specifies the mode of network to join or create. To activate
HostAPmode on your card, use port type6. The wordhostapcan be used interchangeably with6to make the command more readable.-
-nnetwork name This is the SSID your access point will be configured with. This is the SSID string stations must use to connect to your access point.
-
-kkey [-v 1|2|3|4 ] This parameter controls the various WEP key used by stations to authenticate and encrypt traffic to your access point.
keycan be entered either as decimal (e.g.,secrt) or as hexadecimal (e.g.,0x0123456789). The numbers following the key indicate which key index the specified key should be placed in. The WEP specification allows for four different keys to be stored for use in various key rotation strategies. If the -vflag is not specified, the first index is assumed.-
-e0|1 Your access point can force stations to use WEP for authentication and data integrity by setting the -e flag to 1. If this parameter is set to 0, WEP is not required.
This is not a complete list of all of the commands
wicontrol understands in
HostAP mode. For a complete description, see the
wicontrol manual page.
If you prefer the unified
interface of ifconfig, the following parameters
are relevant to HostAP mode:
-
interface This is the interface
ifconfigwill operate on. The first Prism-based interface in the machine is known aswi0.-
nwidssid This is the name of the service set to create. The value specified here is the SSID stations will use to connect to your access point.
-
nwkeykey This is the WEP key the access point will use to encrypt traffic to associated stations.
keycan be entered either as decimal (e.g.,secrt) or as hexadecimal (e.g.,0x0123456789). If this value is not specified, the access point will not allow WEP connections.-
mediaopthostap This parameter causes the card to enter access-point mode.
As of OpenBSD 3.1, ifconfig has limited wireless
functionality. In order to make use of more advanced features such as
WEP key rotation, power savings, and channel allocation, you must use
wicontrol.
Configuring the access point by hand
after each boot is unlikely to be your preferred administration
mechanism. There are several startup files you can modify to start
HostAP mode at boot time and bridge your wired
and wireless interfaces together.
OpenBSD makes use of
/etc/hostname.<interface> files to
configure each interface in the box. These files contain specific
information regarding the interface’s configuration
as well as any arbitrary commands you wish to execute when the
interface is brought online. For a complete discussion of the
structure of these files, see the hostname.if
manual page.
First, bring the wireless interface up in HostAP
mode. Do not assign an IP address to the wireless interface. For this
example, we are configuring an access point to run on channel 6 with
an SSID of Example:
# /etc/hostname.wi0 up nwid Example mediaopt hostap !wicontrol $if -f 6
Next, bring up the wired interface on sis0. We
will assign an IP to this interface and setup a default route. Note
that for the IP address we must specify the IP address, the netmask,
and the broadcast address:
# /etc/hostname.sis0 inet 192.168.0.2 255.255.255.0 192.168.0.255 !route add default 192.168.0.1
Finally, we must bring up the bridge interface. Like individual
interfaces, bridges are controlled through files in
/etc. The first bridge group is identified as
bridgename.bridge0, the second is
bridgename.bridge1, etc. The
hostname.if manual page also contains
information on the bridgename files. In order for the bridge to
function, we must add both the wired and wireless interfaces and then
bring the bridge group up. The following lines are passed to
brconfig at boot time:
# /etc/bridgename.bridge0 add wi0 add sis0 up
Reboot your machine, and you should have a bridging access point. If the access point does not work as expected, examine your log files.
Now that you have a functioning access point, you should take steps to secure the access point and the network itself. By using the packet filtering firewall that comes with OpenBSD and MAC address filtering in the bridge interface, you can restrict access to your network and network devices.
A bridge is designed to allow all traffic between the bridged interfaces. The packet filtering firewall can sit in between the interfaces and remove hostile traffic. You may or may not decide to have the access point enforce a network security policy, but at the very least you should configure your firewall to protect the IP address of the access point itself. The following configuration file will allow all traffic through the access point but restrict access to the access point itself to SSH connections from a trusted host on the wired network:
# Simple access point pf.conf # Wireless interface oif = "wi0" # Wired interface eif = "sis0" enet = "192.168.0.0" emask = "255.255.255.0" eip = "192.168.0.2" # allow by default because this is a bridge pass in all pass out all # allow localhost traffic pass in quick on lo0 all pass out quick on lo0 all # protect self block in inet from any to $eip # pass ssh traffic for management from a trusted host that arrives on the # wired network pass in quick on $eif inet proto tcp from 192.168.0.11 to $eip port = 22 flags S/SA keep state
Warning
Allowing management of the access point from the wireless network can be very dangerous. If possible, limit the management functions to the wired network.
You can
also limit the MAC addresses allowed to communicate on the network.
This is useful for attempting to control rogue wireless clients and
rogue wired gateways. The brconfig utility
provides functionality to control which MAC addresses can communicate
across member interfaces in the bridge group. In a standard network,
the gateway will be the only MAC address on the wired side. That
should be the only source MAC address in packets received on the
wired interface. Ideally, you will also know the MAC addresses of the
stations on your wireless network so it can filter on source MAC
addresses on the wireless interface.
The following is a bridgename.bridge0 file that
filters gateway and station MAC addresses:
# /etc/bridgename.bridge0 # Gateway has MAC address of 1:1:1:1:1:1 # clients have MAC addresses of 2:2:2:2:2:1 and 2:2:2:2:2:2 add sis0 add wi0 up # allow gateway traffic in on wired network rule pass in on sis0 src 1:1:1:1:1:1 # allow station traffic in on wireless network rule pass in on wi0 src 2:2:2:2:2:1 rule pass in on wi0 src 2:2:2:2:2:2 # block everything else rule block in on sis0 rule block in on wi0
If you prefer not to list all of the MAC filtering rules in the
bridgename.bridge0 file, you can create a
separate file with the ruleset and use
brconfig to process it. The following file will
enforce the same policy as listed in the previous
bridgename.bridge0. The file can be saved to any
convenient location:
# Example /etc/bridge.rules in on sis0 src 1:1:1:1:1:1 pass in on wi0 src 2:2:2:2:2:1 pass in on wi0 src 2:2:2:2:2:2 block in on sis0 block in on wi0
Use brconfig to load the
ruleset for the bridge0
interface by issuing the following command:
# brconfig bridge0 rulefile testbridge