Re: Detecting Wireless Ethernet Frames

Dan Smith <dsmith@nospam.danplanet.com> wrote:
> I was wondering if there is a way to detect (hopefully through iptables)
> ethernet frames that originated from a wireless client. I would like to
> be able to have sensitive machines block access to specific ports if
> they're coming from the wireless LAN. I have a normal wired LAN with
> many computers, and a wireless segment (using a Linksys AP) for a few
> mobile units. I thought maybe there was some way of checking a flag on
> the frames to determine if they originated from a WLAN machine (and / or
> traversed the AP).

I don't think there's any way of distinguishing wireless packets from
(er) wired ones. Particularly since it is not difficult to change the
MAC on a wireless interface.

Can you tell the Linksys AP to only accept certain MACs? Then you can
subject any packets on the wire that claim to come from one of those
MACs to your rules.

Better, though, would be to put the AP on its own ethernet segment and
bridge or route traffic from it through a firewall. You could achieve
this by putting an extra ethernet card into a spare Linux / *BSD
machine:

--LAN---[eth0:Firewall:eth1]--X---WirelessAP (X = maybe crossover cable)

This way you can treat any packets that come in on the eth1 interface as
suspicous, neatly sidestepping any issues of spoofed packets, etc.
Unless you're running 802.11g or something fancy like that the load on
the firewall will be minimal.

S.

> I don't think there's any way of distinguishing wireless packets from
> (er) wired ones. Particularly since it is not difficult to change the
> MAC on a wireless interface.

Well, that's one of the problems. I think I could limit all MACs other
than the ones I know about, but since MAC spoofing is easy, it'd be useless.

> Can you tell the Linksys AP to only accept certain MACs? Then you can
> subject any packets on the wire that claim to come from one of those
> MACs to your rules.

Apparently I can, although it would be very difficult to administer that
list. I was hoping to be able to blanket any wireless ethernet packets,
instead of maintaining the list...

> Better, though, would be to put the AP on its own ethernet segment and
> bridge or route traffic from it through a firewall. You could achieve
> this by putting an extra ethernet card into a spare Linux / *BSD
> machine:

Yes, I used to do this before I had an access point. I had a wireless
card in my linux router, which allowed much control (which I miss).
Maybe this would be the best idea...

Does anyone know if there's anything that the AP does to the ethernet
packet that would identify it as coming from the AP? Like tagging its
MAC address in the frame (like a comment)? Just hoping here ;)

Thanks!

--Dan