Securing a Wireless Network Without Encryption
Thu, Jun 25, 2009First, I had a look at my DHCP server. Controlling what address are assigned to devices that aren’t mine makes firewall rules simpler. Not the best way, but I’m going for layers. The DHCP server I am using is also integrated with the firewall so abandoned and unassigned addresses are tracked. Since I don’t have a VLAN capable wireless access point I can’t VLAN but I can segment the network a bit. Small problem though. I have tried a similar setup to this before and forgotten all about this issue. OpenBSD’s dhcpd only has a global allow or deny for unknown hosts, meaning I can’t assign unknown devices to one IP range and known to another. I’m still working on that…
On to the firewall! I started by blocking everything and started poking holes for stuff I know I use, typical firewall policy stuff. Not good enough though. I want it to take care of it self. PF, OpenBSD’s firewall, has a couple of features that I want to take advantage of to help resolve this issue with as little of my involvement as possible. Tables can be used as a list of IP’s in a rule and IP’s can be added and removed by external applications or with a feature like overload. Once an IP matches your criteria it is added to a table and that table can have it’s own rules. In this case what I’m going to do is for any device making too many connections gets added to an abuser table. The abuser table has port 80 redirected to my web server and everything else gets blocked. This table will have to be cleared from time to time, just in case I end up with that IP.
So far blocking UDP seems to have stopped my abusive leech. I still have some work to do though and I’ll try to post here some of the other things I try. Any suggestions? Questions?
Be sure to subscribe to the RSS feed if you want to read more!