A firewall configuration on a wireless client is generally straightforward. Almost all connections will be outbound from the host. Unless you are running externally accessible services such as a web or ssh server, there should never be a connection attempt from outside hosts.

The firewall configuration is stored in /etc/pf.conf. The file contains directives that will be passed to the packet filter at boot time.

Here is an simple pf.conf that should work on most client installations. If you require a more advanced firewall setup or would like a more complete discussion of pf, see Section 13.2 in Chapter 13 or read the pf.conf manual page.

# Simple client pf.conf
oif = "wi0"
onet = "192.168.0.0"
omask = "255.255.255.0"
oip = "192.168.0.248"
# block by default
block in log all
# Let loopback traffic through
pass out quick on lo0 all
pass in quick on lo0 all
# keep windows hosts from filling your logs
block in quick on $oif proto tcp from any to any port 136 >< 140
# keep broadcasts from filling your logs
block in quick on $oif inet from any to { 255.255.255.255, 192.168.0.255 }
# allow everything outbound
pass out quick on $oif all keep state

Make sure you have pf support compiled into your kernel and set pf=YES in /etc/rc.conf to cause the firewall to be enabled at boot time. This is a very simple firewall configuration. However, in a hostile wireless environment, keeping things simple may make the difference between keeping attackers off your machine and being the weakest link in the network.

Unneeded services running on a machine are a liability. An unneeded service becomes a forgotten service. And a vulnerability discovered in a forgotten service can quickly lead to a compromise. By removing unneeded services from your machine, you make administration easier and increase the security of the host.

In a default OpenBSD install, there are two major places where services are launched. The standard inetd facility controls services such as telnet, ftp, chargen, etc. These services are configured in /etc/inetd.conf. Edit this file and comment out any services you do not require. In general, ssh will provide all required remote services so you should be able to comment out everything in inetd.conf.

The other source of many services is /etc/rc.conf. Again, edit this file and examine it for any services you do not need. Turn services off by setting the option to NO. For example, disable portmapper by changing:

portmap=YES             # almost always needed

to this:

portmap=NO             # almost always needed

Restart your machine for these changes to take effect. Verify the machine acts as you anticipate and you have not disabled services in error.

As documented in ARP Poisoning, there is a real threat from man-in-the-middle attacks due to ARP poisoning. A malicious user may be able to convince your workstation that her host is the gateway by forging spoofed packets. By putting a static ARP entry on your host, the effectiveness of this attack is minimized.

Static ARP entries override any dynamic information received over the network. If you are always using the same gateway (i.e., you are not roaming around to different layer 3 wireless networks) you can put a script in /etc called staticarp.sh to hard code the ARP entry:

#!/bin/sh 
# staticarp.sh
# This script will set static arp entries for OpenBSD
# Add the ARP entry for the gateway

   echo -n ' adding gateway arp'
   /usr/sbin/arp -d <gatewayIP>
   /usr/sbin/arp -s <gatewayIP> <gatewayMAC> permanent

Make sure you make this shell script executable. In order to run this file at boot time, add the following lines to /etc/rc.local:

# Set static ARP entries for gateway
if [ -f /etc/staticarp.sh ]; then
       . /etc/staticarp.sh
fi

After your next reboot, verify the script has executed correctly by using the arp command:

bash-2.05a# arp -an
? (192.168.0.1) at 00:02:2d:08:5b:30 permanent static
? (192.168.0.2) at 00:10:5a:a7:09:2a

The word permanent indicates that no network traffic including malicious ARPs from other hosts will override this static entry.