On Sun, Jul 05, 2020 at 08:37:40PM +0000, Mogens Jensen wrote: > I've installed OpenBSD 6.7 on a system that have an athn(4) wireless > network adapter. Before setting up this device, I wanted to verify the > configuration of pf, unbound etc. which required the interface to have > an IP address, so I added the following line to /etc/hostname.athn0: > > inet 192.168.10.1 255.255.255.0 > > This enabled the interface, which allowed pf, unbound etc. to start: > > # ifconfig athn0 > athn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr XX:XX:XX:XX:XX:XX > index 4 priority 4 llprio 3 > groups: wlan > media: IEEE802.11 autoselect (DS1) > status: no network > ieee80211: nwid "" > inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 > > However, it also automatically made the interface start scanning: > > # netstat -W athn0 | grep scans > 1 active scans started > 0 passive scans started > > Is it possible to configure the athn0 interface with an IP address, but > prohibit any kind of wireless communication?
Setting an IP address will implicitly mark the interface UP. This is long-standing behaviour and unlikely to change. And when a wifi interfaces is marked UP it will search for access points. Since you don't have an nwid configured, what will happen is: 1) The device will send a probe request with a wildcard SSID. Afterwards it will continue to listen for beacons indefinitely. 2) The device will receive beacons which are parsed by the kernel to populate the list of networks shown by 'ifconfig athn0 scan'. Because no nwid is configured no connection attempt will be made. (Note that this is new behaviour in OpenBSD 6.7. Before 6.7, the kernel would try to find an unencrypted network to connect to.) It is impossible to exchange data frames with the system over wifi in this unassociated state because any incoming data frames will be dropped. So if that's your concern then there is no actual reason to worry. > The reason for this is that I have to verify many systems with > different configuration, which requires athn0 to be configured with an > IP address. I want to do the verification and install patches before any > wireless communication happens, as I can't guarantee that none of the > devices within wireless range are malicious. As a workaround you could add 'down' to your hostname.if file after configuring the IP: inet 192.168.10.1 255.255.255.0 down That will disable the device after IP configuration. The address will remain configured and the interface will remain inactive until marked UP. Though I cannot tell if this would satisfy your verification process.
