[PLUG] Fun with IPTables

Tony Schlemmer aschlemm at comcast.net
Mon Jul 31 16:26:53 UTC 2006 

On Friday 28 July 2006 14:12, plug_0 at robinson-west.com wrote:
[snip]
>
> How many people here know how to enable WEP, IPSEC, etc?  I don't.  I use
> hostap, when it comes to WEP I've never been able to get a working
> connection.
>
> Makes me wonder if IPSec is a better approach than trying to figure out
> WEP, but I've never done that either, even for wired networks.

In terms of supporting WEP or WPA I've never found Linux as easy to configure 
as WinXP. But with a little bit of effort I've been able to use both WEP and 
WPA-PSK with Linux. WEP is easy as I've used a program like "kwifimanager" 
for setting up WEP for several networks. It's also possible to set the WEP 
key on WIFI from the command line using "iwconfig" and I've done it with a 
simple shell script that scanned the available WIFI networks and when it 
detected a network ID is recognized it set the WEP key accordingly. 

WEP is so easy to crack though that I generally avoid using it for any WIFI 
network that I manage. When I did have to use WEP I went through extreme 
measures and put the WIFI side of the network on its own subnet and used an 
OpenBSD firewall with "authpf" support. To get to the internal side of the 
network users had to login to the firewall via SSH which caused "authpf" to 
dynamically update the firewall rules to allow packages from the given WIFI 
client to traverse from the WIFI subnet to the internal network. When the SSH 
session was closed the firewall rules were updated to remove the WIFI 
client's ability to access the internal network.

For WPA secured WIFI networks though I felt like I had to jump through a few 
hoops since an extra daemon process is required to  support WPA using a 
program called "wpa_supplicant". Unless one's Linux disto supplied a working 
version of the "wpa_supplicant" it has to be build with support for whatever 
WIFI chipset is being used. I wasn't able to get the WIFI drivers included 
with SuSE 9.2 to work with with the "wpa_supplicant" daemon so I had to 
resort getting a newer version of the ipw2200 and ieee80211XXX drivers from 
sourceforge and building them myself. 

With the updated Intel drivers I was able to get WPA-PSK support working but 
anytime I installed an updated kernel from SuSE  I'd have to rebuild my WIFI 
drivers and install my updates over the SuSE supplied kernel modules to get 
WPA support working again which made me dread installing kernel updates 
because of the extra work involved..

I was so happy when I upgraded to SuSE 10.0 though as they included support 
for WPA into YaST2 so it was just a simple matter of setting my passphrase 
and allowing YaST2 to automatically install the "wpa_supplicant" package. I 
had held off upgrading for months for fear of breaking my WIFI support since 
I wasn't sure if SuSE 10.0 would fix or break my WPA-PSK support.

Sorry for the long post but IMHO I think more work needs to be done for WIFI 
support for both WEP and WPA in Linux. Support is there and one just needs to 
figure out what to use depending on what encryption method a given WIFI 
network needs. But I wish it was as easy to configure WIFI support as it is 
under WinXP. 

Tony.

-- 
Anthony Schlemmer
aschlemm at comcast.net

More information about the PLUG mailing list