On Sun, Jul 05, 2020 at 08:37:40PM +0000, Mogens Jensen wrote:
> I've installed OpenBSD 6.7 on a system that have an athn(4) wireless
> network adapter. Before setting up this device, I wanted to verify the
> configuration of pf, unbound etc. which required the interface to have
> an IP address, so I added the following line to /etc/hostname.athn0:
> inet
> This enabled the interface, which allowed pf, unbound etc. to start:
> # ifconfig athn0
> athn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>       lladdr XX:XX:XX:XX:XX:XX
>       index 4 priority 4 llprio 3
>       groups: wlan
>       media: IEEE802.11 autoselect (DS1)
>       status: no network
>       ieee80211: nwid ""
>       inet netmask 0xffffff00 broadcast
> However, it also automatically made the interface start scanning:
> # netstat -W athn0 | grep scans
> 1 active scans started
> 0 passive scans started
> Is it possible to configure the athn0 interface with an IP address, but
> prohibit any kind of wireless communication?

Setting an IP address will implicitly mark the interface UP.
This is long-standing behaviour and unlikely to change.

And when a wifi interfaces is marked UP it will search for access points.

Since you don't have an nwid configured, what will happen is:

1) The device will send a probe request with a wildcard SSID.
   Afterwards it will continue to listen for beacons indefinitely.

2) The device will receive beacons which are parsed by the kernel to
   populate the list of networks shown by 'ifconfig athn0 scan'.
   Because no nwid is configured no connection attempt will be made.
   (Note that this is new behaviour in OpenBSD 6.7. Before 6.7, the
   kernel would try to find an unencrypted network to connect to.)

It is impossible to exchange data frames with the system over wifi in
this unassociated state because any incoming data frames will be dropped.
So if that's your concern then there is no actual reason to worry.

> The reason for this is that I have to verify many systems with
> different configuration, which requires athn0 to be configured with an
> IP address. I want to do the verification and install patches before any
> wireless communication happens, as I can't guarantee that none of the
> devices within wireless range are malicious.

As a workaround you could add 'down' to your hostname.if file after
configuring the IP:


That will disable the device after IP configuration. The address will
remain configured and the interface will remain inactive until marked UP.
Though I cannot tell if this would satisfy your verification process.

Reply via email to