Monday, September 11, 2017

Re: Filtering other network layer protocols with PF

On Mon, Sep 11, 2017 at 10:26:22AM -0500, Christopher Snell wrote:
> Hi,
>
> I have an AT&T fiber connection at home that relies on a crappy,
> proprietary, and insecure [1] router that does proprietary authentication
> with upstream equipment via EAP over 802.1x. Some folks have figured out
> how to bypass it by putting the AT&T router behind their actual firewalls
> and proxying the 802.1x packets to/from the AT&T device, thus faking out
> the upstream gateway.
>
> Unfortunately, the common solution [2] for this is Linux-specific and
> relies on their PF_RING stuff. I was hoping to proxy this protocol in
> OpenBSD without having to use something slow like pcap. As far as I can
> tell from reading man pages, PF does not support this network layer
> protocol (0x888E). Does anybody have any ideas on how I might efficiently
> capture these packets and copy them to another interface?
>
> Chris
>
> [1] https://www.nomotion.net/blog/sharknatto/
> [2] https://github.com/jaysoffian/eap_proxy

Wouldn't be possible to put egress port and port for this device
into bridge and use bridge filtering rules and then filter everything
in pf?

j.

No comments:

Post a Comment