Re: Filtering other network layer protocols with PF
On Mon, 11 Sep 2017 10:26:22 -0500 Christopher Snellwrote: > Hi, > > I have an AT fiber connection at home that relies on a crappy, > proprietary, and insecure [1] router that does proprietary > authentication with upstream equipment via EAP over 802.1x. Some > folks have figured out how to bypass it by putting the AT router > behind their actual firewalls and proxying the 802.1x packets to/from > the AT device, thus faking out the upstream gateway. > > Unfortunately, the common solution [2] for this is Linux-specific and > relies on their PF_RING stuff. I was hoping to proxy this protocol in > OpenBSD without having to use something slow like pcap. As far as I > can tell from reading man pages, PF does not support this network > layer protocol (0x888E). Does anybody have any ideas on how I might > efficiently capture these packets and copy them to another interface? > > Chris > > [1] https://www.nomotion.net/blog/sharknatto/ > [2] https://github.com/jaysoffian/eap_proxy Hi, not exactly answer to your question, but: I have similar situation, where my ISP gives me crappy device whose uplink is ADSL, and downlink is ethernet. By default, it does PAP-authenticated ppooe, NAT and ingress filtering on uplink. I managed to configure this device in 'bridge mode', and put two-nic (PC Engines' APU2) OpenBSD firewall behind it, which calls pppoe, NATs, filters, etc. The rest of my home LAN plugs into internal interface of mentioned firewall. ISP--adsl I still can't secure ISP's device, but I can filter traffic which enters and leaves my LAN. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Filtering other network layer protocols with PF
On Mon, Sep 11, 2017 at 10:26:22AM -0500, Christopher Snell wrote: > Hi, > > I have an AT fiber connection at home that relies on a crappy, > proprietary, and insecure [1] router that does proprietary authentication > with upstream equipment via EAP over 802.1x. Some folks have figured out > how to bypass it by putting the AT router behind their actual firewalls > and proxying the 802.1x packets to/from the AT device, thus faking out > the upstream gateway. > > Unfortunately, the common solution [2] for this is Linux-specific and > relies on their PF_RING stuff. I was hoping to proxy this protocol in > OpenBSD without having to use something slow like pcap. As far as I can > tell from reading man pages, PF does not support this network layer > protocol (0x888E). Does anybody have any ideas on how I might efficiently > capture these packets and copy them to another interface? > > Chris > > [1] https://www.nomotion.net/blog/sharknatto/ > [2] https://github.com/jaysoffian/eap_proxy Wouldn't be possible to put egress port and port for this device into bridge and use bridge filtering rules and then filter everything in pf? j.
Filtering other network layer protocols with PF
Hi, I have an AT fiber connection at home that relies on a crappy, proprietary, and insecure [1] router that does proprietary authentication with upstream equipment via EAP over 802.1x. Some folks have figured out how to bypass it by putting the AT router behind their actual firewalls and proxying the 802.1x packets to/from the AT device, thus faking out the upstream gateway. Unfortunately, the common solution [2] for this is Linux-specific and relies on their PF_RING stuff. I was hoping to proxy this protocol in OpenBSD without having to use something slow like pcap. As far as I can tell from reading man pages, PF does not support this network layer protocol (0x888E). Does anybody have any ideas on how I might efficiently capture these packets and copy them to another interface? Chris [1] https://www.nomotion.net/blog/sharknatto/ [2] https://github.com/jaysoffian/eap_proxy