RobFlickenger writes to the PebbleLinux MailList about using NoCatAuth with a bridged network and ebtables.
So, that was actually really easy. If you want to use NoCat on an ethernet bridge, just be sure that RouteOnly is set to 1, and that your wireless clients are allowed to talk to your DHCP server pre-auth. I started a bridge like this:
ifconfig eth0 0.0.0.0 ifconfig wlan0 0.0.0.0 brctl addbr br0 brctl addif br0 eth0 brctl addif br0 wlan0 ifconfig br0 10.15.6.2 route add default gw 10.15.6.1
The gateway address is 10.15.6.2. Wireless clients (on wlan0, running Host AP) pick up a lease from the wire side, along with the rest of my network. Clients get captured as normal, and are released after logging in. They're then bridged at layer 2 to the wired network, making for all sorts of multicast fun (not to mention horrible, horrible attack vectors and DoS opportunities.) But fine tuning with iptables / ebtables could make this a pretty neat option, as you could throw a bunch of these on your network without changing your topology. The bridging code does spanning tree automatically.
Obviously, you'd still want to isolate this from a private network, but if you've got a VLAN or a separate physical LAN for your wireless segment, this is pretty neat. All of the laziness of a bridged network, with the full firewalling and processing power of iptables / ebtables and Linux...
Share and Enjoy,
--Rob
On Thursday, May 8, 2003, at 11:21 AM, Rob Flickenger wrote: > Hello all-- > > I've been playing with layer 2 bridging and pebble. I was particularly interested by ebtables > (like iptables, but for Ethernet Bridges, http://ebtables.sourceforge.net/). This leads to some > interesting possibilities, like having a completely transparent box that does authentication, IDS, > and throttling, all without changing your network topology. With a high degree of control over what > passes through the bridge, you can theoretically even avoid nasty ARP poisoning attacks and broadcast > domain nastiness. > > Anyway, it requires a patched kernel and some new utilities, so I've posted what I've built here: > > http://nocat.net/~rob/pebble/ > > There's a 2.4.20 kernel + modules there (complete with Host AP, of course.) The kernel has been patched > with both the ebtables and the bridge-nf patches (so you can still use iptables to manipulate the firewall > rules, as well as ebtables.) > > There's also an updated wireless tools package, the kernel config, and the brctl and ebtables binaries. I > don't have a debian box handy to do .deb's, so they're just .tgz's to be extracted from /. You'll have to > install the kernel manually. > > I don't have NoCat working with the bridge yet, but I'm working on it. > > Enjoy, > > --Rob