authpf

Objective
The objective is to secure my wifi-network in a “hotspot” manner.
After some search I found out about authpf which seemed to be
possible to set up as something like a hotspot “hotspot via ssh”.
authpf gives you the possibility to add rules to pf when you log in
with a specific user who has the authpf-shell.

Preparations
First of all I compiled a custom kernel to get pf to work. You
can read more about running pf on FreeBSD in the Handbook
and a more general documentation for pf can be found on
OpenBSD’s website

AuthPF
First of all I created the /etc/authpf/ hierarchy which consist of:
/etc/authpf/
/etc/users/
/etc/users/$USER/
Then I added /usr/sbin/authpf to /etc/shells and created two users,
wifi and wifi_guest with the shell /usr/sbin/authpf

# cat /etc/authpf/authpf.conf
anchor=authpf
table=authpf_users

# cat /etc/authpf/users/wifi_guest/authpf.rules
tight_tcp = “{ 80 53 443 }”
tight_udp = “{ 53 631 }”
pass in quick proto tcp from $user_ip to any port $tight_tcp keep state
pass in quick proto udp from $user_ip to any port $tight_udp keep state

# cat /etc/authpf/authpf.allow
wifi
wifi_guest

And to /etc/pf.conf I added these lines:
table persist (refers to “table” in authpf.conf)
anchor “authpf/*” (refers to “anchor” in authpf.conf)

Everything thats left is to login as the wifi_guest user to via ssh on your
gateway and see if you are given any extra rules when logged in as a
authpf-user. If you want a complete guide to this go toOpenBSD’s website

Problems:
The first problem is to get the pf rules right. :P, read about this here
The second problem I encountered was the /dev/fd/# devices. There
where too few of them. pf wants to use /dev/fd/4. To solve this
problem i used mount_fdescfs(8)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>