OS Protection
A secure kernel and properly configured network interfaces are only part of configuring a secure station. There are various parts of the operating system that you must secure to protect yourself from attackers. This includes configuring a host-based firewall, removing unneeded services being started at boot time, and setting static ARP entries to avoid ARP spoofing attacks.
Firewall Configuration
A
firewall configuration on a wireless client is generally
straightforward. Almost all connections will be outbound from the
host. Unless you are running externally accessible services such as a
web or ssh
server, there should never be a
connection attempt from outside hosts.
The firewall configuration is stored in
/etc/pf.conf
. The file contains directives that
will be passed to the packet filter at boot time.
Here is an simple pf.conf
that should work on
most client installations. If you require a more advanced firewall
setup or would like a more complete discussion of
pf
, see Section 13.2 in Chapter 13 or read the pf.conf
manual page.
# Simple client pf.conf oif = "wi0" onet = "192.168.0.0" omask = "255.255.255.0" oip = "192.168.0.248" # block by default block in log all # Let loopback traffic through pass out quick on lo0 all pass in quick on lo0 all # keep windows hosts from filling your logs block in quick on $oif proto tcp from any to any port 136 >< 140 # keep broadcasts from filling your logs block in quick on $oif inet from any to { 255.255.255.255, 192.168.0.255 } ...
Get 802.11 Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.