How to Build a Simple Wireless Authenticated Gateway (SWAG) Using OpenBSD
By: Rosli Sukri
Now, without spending a lot of money you to can build an authenticated gateway solution to verify your WIFI users. First and foremost you need to get your hands on the coolest free BSD system for firewalls and security devices. In this example I will be using OpenBSD3.6 stock standard as a build and a base system (but I guess you could use FreeBSD5.3 – me thinks the newer FreeBSD are getting a bit bloated but the background fscking, fscking rocks dude!)
Once you have installed your neighborhood OS in your server (go ahead and install all the packages from the OpenBSD installation CD, heck I have 40G worth of SATA drive on my brand spanking new Dell 1U server so I don't really care) you only need to change a couple of files within your /etc directory before you can start rocking.
The Setup
By the way my rig is a Dell 1U server with 4 NIC cards and a lot of RAM. One neat thing about the setup is its way awesome fan systems that mimics a mini tornado. Woooshh! boy it is very noisy but it keeps the board cool. The Dell is awesome a far cry from the Low Yat's Cap Ayam server that I usually have to work with.
The ultimate goal is to have 2 internal network segments and 1 uplink to the Internet. I am reserving the last NIC card, so that if I ever get another ISP, I might be able to do some funky load balancing stuff :). In addition to that, for all the internal network, we will be providing dhcpd services for the clients behind it. This is done so that we can turn off those pesky dhcpd service with limited functions within the AP itself.
In addition to the above, the gateway has 4 Broadcom GigE's. In this example em0 and em1 are the internal LAN which has and IP range of 192.168.10.x and 192.168.11.x accordingly. em2 is being used for the uplink to the ISP which IPs and network are predefined. The gateway will take 192.168.10.1 and 192.168.11.1 respectively and connect then your AP's to one of the internal LANs. All authorized packets from the internal LANs and the WIFI networks will be NATed at the gateway level.
These are the list of the files that we need to change to make our setup work – you do have to configure the appropriate files to set the IP, default router and DNS of the gateway machine itself, but for that, please refer to the OpenBSD FAQ.
/etc/rc.conf.local
/etc/sysctl.conf
/etc/inetd.conf
/etc/shells
/etc/dhcpd.conf
/etc/dhcpd.interfaces
/etc/pf.conf
/etc/authpf/authpf.conf
/etc/authpf/authpf.rules
/etc/ssh/sshd_config
The Simple Diagram
and here are the files...
# /etc/rc.conf.local
pf=YES
dhcpd_flags=""
Well, you need to enable this at boot time or else it all won't work
# /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
Don't forget this, else your box can't forward any packets hence it would be useless.
# /etc/inetd.conf
127.0.0.1:8021 stream tcp nowait
root /usr/libexec/ftp-proxy ftp-proxy -n
ident stream tcp nowait
_identd /usr/libexec/identd identd -el
ident stream tcp6 nowait
_identd /usr/libexec/identd identd -el
127.0.0.1:comsat dgram udp wait
root /usr/libexec/comsat comsat
[::1]:comsat dgram udp6 wait
root /usr/libexec/comsat comsat
FTP Service, who needs them anyways...
# echo /usr/sbin/authpf >> /etc/shells
You need to run this command to able to add the correct shells to the user - you don't want them to have shell access now do you?
# /etc/dhcpd.conf
subnet 192.168.10.0 netmask 255.255.255.0 {
option routers 192.168.10.1;
option domain-name-servers 202.188.1.5;
option domain-name "rosli.domain";
range 192.168.10.32 192.168.10.127;
}
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.11.1;
option domain-name-servers 202.188.1.5;
option domain-name "rosli.domain";
range 192.168.11.32 192.168.11.127;
}
Complete with the setting to (ab)use one of Malaysia's fat telcos....
# /etc/dhcpd.interfaces
#
em0
em1
With the settings above you should have a fully functional dhcpd server that serves two different internal LANs.
And now the fun stuff – the ever daunting firewall access rules
# /etc/pf.conf
# note: interface use is only em0 and em1, em2 is reserved for external
### macros
internalIf = "{em0, em1}"
externalIf = "em2"
Scrub in all
### nat and rdr
nat on $externalIf from { em0:network, em1:network } to any
-> ($externalIf)
rdr on $internalIf proto tcp from any to any
port 21 -> 127.0.0.1 port 8021
### filter
# Default block stance block in log on $internalIf all
# The annoyance of ftp continues pass in quick on $externalIf inet proto tcp from
port { ftp, ftp-data } to ($externalIf) user proxy flags S/SA keep state
# The gateway allowing itself to go out and about pass out quick on $externalIf proto tcp from $externalIf:network flags S/SA modulate state pass out quick on $externalIf proto { udp, icmp } from
$externalIf:network keep state pass out quick on $externalIf proto tcp from
$externalIf flags S/SA modulate state
pass out quick on $externalIf proto { udp, icmp } from ($externalIf) keep state pass out quick on $externalIf proto tcp from $internalIf flags S/SA modulate state pass out quick on $externalIf proto { udp, icmp } from
$internalIf keep state pass out quick on $externalIf proto tcp from 127.0.0.1 flags S/SA modulate state pass out quick on $externalIf proto { udp, icmp } from
127.0.0.1 keep state
# SSH and pings must be allowed pass in quick on $externalIf proto tcp from
$externalIf:network to $externalIf port ssh flags S/SA keep state pass in quick on em0 proto tcp from em0:network to $externalIf port ssh flags S/SA keep state pass in quick on em1 proto tcp from em1:network to $externalIf port ssh flags S/SA keep state pass in quick on { em0, em1 } proto icmp from
{ em0:network, em1:network } to {em0, em1, em2 } keep state
# Just in case if the uplinks IP is not staticly assigned by the ISP's pass in quick on $externalIf proto { udp, tcp } from $externalIf:network to $externalIf port { bootps, ftp, ftp-data } keep state
# Again ftp strikes back pass in quick on $externalIf proto tcp from $externalIf:network to lo0 port 8021 keep state
# This glues the config to the next section anchor "authpf/*" in on $internalIf
# /etc/authpf/authpf.rules
# note: interface use is only em0 and em1, em2 is reserved for external
### macros
internalIf = "{em0, em1}"
### filter
## 1st internal interface
pass in quick on em0 proto {udp, tcp} from $user_ip to port
domain keep state
pass in quick on em0 proto icmp from $user_ip to any
keep state
pass in quick on em0 proto tcp from $user_ip to any
port { ssh, http, https, smtp, ftp, pop3, imap } flags S/SA keep state
# this damn last rule is needed by ftp passive mode
pass in quick on em0 proto tcp from $user_ip to any
port > 1024 keep state
## 2nd internal interface
pass in quick on em1 proto {udp, tcp} from $user_ip to any
port domain keep state
pass in quick on em1 proto icmp from $user_ip to any
keep state
pass in quick on em1 proto tcp from $user_ip to any
port { ssh, http, https, smtp, ftp, pop3, imap } flags S/SA keep state
# this damn last rule is needed by ftp passive mode
pass in quick on em1 proto tcp from $user_ip to any
port > 1024 keep state
# touch /etc/authpf/authpf.conf
authpf.conf must exist – if not authpf will surely barf
Last but not least
# /etc/ssh/sshd_config
# note: interface use is only em0 and em1, em2 is reserved for external
Port 22
Protocol 2
Subsystem sftp /usr/libexec/sftp-server
# 5 seconds
ClientAliveInterval 5
# 3 strikes and your out
ClientAliveCountMax 3
To avoid ssh zombies – are you afraid of ghosts?
By the way don't forget to set the gateway of the external interface by editing your /etc/mygate
Why does it so long for me to authenticate to the gateway, please refer to:
http://www.openbsd.org/faq/faq8.html#RevDNS
To Add an Authenticated Gateway User
Use the adduser script, but you need to be logged on as root or has root privileges.
# adduser
Use option ``-silent'' if you don't want to see all warnings and questions.
Reading /etc/shells
Reading /etc/login.conf
Check /etc/master.passwd
Check /etc/group
Ok, let's go. Don't worry about mistakes. I will give you the chance later to correct any input.
Enter username []: testuser
Enter full name []: Test Authenticated User
Enter shell autpf csh ksh nologin sh [sh]: authpf
Uid [1002]: Enter
Login group testuser [testuser]: guest
Login group is ``guest''. Invite testuser into other groups: guest no
[no]: no
Login class auth-defaults auth-ftp-defaults daemon default staff
[default]: Enter
Enter password []: Type password, then Enter
Enter password again []: Type password, then Enter
Name: testuser
Password: ****
Fullname: Test Authenticated User
Uid: 1002
Gid: 31 (guest)
Groups: guest
Login Class: default
HOME: /home/testuser
Shell:i /usr/sbin/authpf
OK? (y/n) [y]: y
Added user ``testuser''
Copy files from /etc/skel to /home/testuser
Add another user? (y/n) [y]: n
Goodbye!
To Remove an Authenticated Gateway User
Use the given rmuser script, again you need root privileges to be able to execute this command.
# rmuser
Enter login name for user to remove: testuser
Matching password entry:
testuser:$2a$07$ZWnBOsbqMJ.ducQBfsTKUe3PL97Ve1AHWJ0A4uLamniLNXLeYrEie:1002
:31::0:0:Test Authenticated User:/home/testuser:/usr/sbin/authpf
Is this the entry you wish to remove? y
Remove user's home directory (/home/testuser)? y
Updating password file, updating databases, done.
Updating group file: done.
Removing user's home directory (/home/testuser): done.
Howto Authenticate to the Gateway
Startup your favorite ssh client software and connect to the predefined gateway IP address. In this example we will be using PuTTY and connecting to 10.10.10.1
Enter your assigned user and password, voila you're authenticated to use the network. The gateway now knows the IP address of the client from where you're connected.
You will now be able to access network services that you're authorized as defined by the network access policy.
1.) A Solution To Red Hat PIE Protection - Zarul Shahrin
2.) The Convergence of Hacking and Security Tools - Don Parker
3.) Testifying in a Computer Crimes Case - Deb Shinder
4.) How to Build a Simple Wireless Authenticated Gateway (SWAG) Using OpenBSD - Rosli Sukri
5.) Protecting the Administrator Account - Derek Melber
6.) Mobile Systems: A Threat to Corporate Security - Fernando de la Cuadra