Re: Filtering other network layer protocols with PF

2017-09-12 Thread Marko Cupać 
On Mon, 11 Sep 2017 10:26:22 -0500
Christopher Snell  wrote:

> Hi,
> 
> I have an AT fiber connection at home that relies on a crappy,
> proprietary, and insecure [1] router that does proprietary
> authentication with upstream equipment via EAP over 802.1x.  Some
> folks have figured out how to bypass it by putting the AT router
> behind their actual firewalls and proxying the 802.1x packets to/from
> the AT device, thus faking out the upstream gateway.
> 
> Unfortunately, the common solution [2] for this is Linux-specific and
> relies on their PF_RING stuff.  I was hoping to proxy this protocol in
> OpenBSD without having to use something slow like pcap.  As far as I
> can tell from reading man pages, PF does not support this network
> layer protocol (0x888E).  Does anybody have any ideas on how I might
> efficiently capture these packets and copy them to another interface?
> 
> Chris
> 
> [1] https://www.nomotion.net/blog/sharknatto/
> [2] https://github.com/jaysoffian/eap_proxy

Hi,

not exactly answer to your question, but:

I have similar situation, where my ISP gives me crappy device whose
uplink is ADSL, and downlink is ethernet. By default, it does
PAP-authenticated ppooe, NAT and ingress filtering on uplink.

I managed to configure this device in 'bridge mode', and put
two-nic (PC Engines' APU2) OpenBSD firewall behind it, which
calls pppoe, NATs, filters, etc. The rest of my home LAN plugs into
internal interface of mentioned firewall.

ISP--adsl

I still can't secure ISP's device, but I can filter traffic which
enters and leaves my LAN.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Filtering other network layer protocols with PF

2017-09-11 Thread Jiri B 
On Mon, Sep 11, 2017 at 10:26:22AM -0500, Christopher Snell wrote:
> Hi,
> 
> I have an AT fiber connection at home that relies on a crappy,
> proprietary, and insecure [1] router that does proprietary authentication
> with upstream equipment via EAP over 802.1x.  Some folks have figured out
> how to bypass it by putting the AT router behind their actual firewalls
> and proxying the 802.1x packets to/from the AT device, thus faking out
> the upstream gateway.
> 
> Unfortunately, the common solution [2] for this is Linux-specific and
> relies on their PF_RING stuff.  I was hoping to proxy this protocol in
> OpenBSD without having to use something slow like pcap.  As far as I can
> tell from reading man pages, PF does not support this network layer
> protocol (0x888E).  Does anybody have any ideas on how I might efficiently
> capture these packets and copy them to another interface?
> 
> Chris
> 
> [1] https://www.nomotion.net/blog/sharknatto/
> [2] https://github.com/jaysoffian/eap_proxy

Wouldn't be possible to put egress port and port for this device
into bridge and use bridge filtering rules and then filter everything
in pf?

j.

Filtering other network layer protocols with PF

2017-09-11 Thread Christopher Snell 
Hi,

I have an AT fiber connection at home that relies on a crappy,
proprietary, and insecure [1] router that does proprietary authentication
with upstream equipment via EAP over 802.1x.  Some folks have figured out
how to bypass it by putting the AT router behind their actual firewalls
and proxying the 802.1x packets to/from the AT device, thus faking out
the upstream gateway.

Unfortunately, the common solution [2] for this is Linux-specific and
relies on their PF_RING stuff.  I was hoping to proxy this protocol in
OpenBSD without having to use something slow like pcap.  As far as I can
tell from reading man pages, PF does not support this network layer
protocol (0x888E).  Does anybody have any ideas on how I might efficiently
capture these packets and copy them to another interface?

Chris

[1] https://www.nomotion.net/blog/sharknatto/
[2] https://github.com/jaysoffian/eap_proxy