O'Reilly logo

802.11 Security by Bruce Potter, Bob Fleck

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Building the Firewall Rules

With the host locked down, the firewall rules must be configured and tested. In our example, there is an external interface, a DMZ interface, and an interface that faces the wireless network. The following firewall rules are very aggressive at limiting communication. The gateway must protect the DMZ from attacks coming from both the Internet and the wireless network. It must also protect the wireless network from attacks originating on the Internet. These requirements lead to a restrictive ruleset that errs on the side of caution.

The firewall rules on an OpenBSD host are normally stored in /etc/pf.conf. We will examine our firewall script in sections to help explain the thought process that led to this ruleset.

These four variables correspond to your outside interface, network, number of bits in the netmask, and IP address, respectively. Change these to the correct values.

# set these to your outside interface network and netmask and ip
o_if = "dc0"
o_net = "192.0.2.0"
o_mask = "24"
o_ip = "192.0.2.230"

These variables do the same thing for the wireless network (variables starting with “w”) and for the internal wired network (variables starting with “i”). Change these if you are going to use different IP ranges on these networks.

# set these to your inside interface networks, netmasks, and IPs
w_if = "dc1"
w_net = "192.168.0.0"
w_mask = "24"
w_ip = "192.168.0.1"

i_if = "dc2"
i_net = "192.168.1.0"
i_mask = "24"
i_ip = "192.168.1.1"

The parsing of OpenBSD’s ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required