macaddr_acl not taken into account in hostapd settings

patpro

patpro

Hello,

I run a WIFI AP on a FreeBSD box for years now, and I've recently switched from a 6.4 to a 8.1. Many things have changed, but I think I've handled the switch pretty well... until last night, when I've noticed that hostapd won't take my macaddr_acl=1 setting into account.

Here are my /etc/hostapd.conf settings;

Code: 
# grep ^[^#] /etc/hostapd.conf 
interface=wlan0
logger_syslog=-1
logger_syslog_level=1
logger_stdout=-1
logger_stdout_level=1
debug=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=youdontknowme
macaddr_acl=1
accept_mac_file=/etc/hostapd.accept
auth_algs=3
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
wpa=1
wpa_passphrase=my very little secret
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

and rc.conf:

Code: 
ifconfig_wlan0="inet 192.168.1.1 netmask 255.255.255.0 ssid youdontknowme mode 11g pureg up"

Despite macaddr_acl=1, I can still connect with unknown Wifi client to my hostapd.

Any idea?
 
To be honest MAC address filtering is utterly useless as a security precaution. Your MAC addresses are transmitted in the clear even when you use encryption. A would-be-attacker can easily grab them when monitoring the traffic. It's also trivial to change a MAC address on a network card, even on Windows.
 
SirDice said:
To be honest MAC address filtering is utterly useless as a security precaution. Your MAC addresses are transmitted in the clear even when you use encryption. A would-be-attacker can easily grab them when monitoring the traffic. It's also trivial to change a MAC address on a network card, even on Windows.
Click to expand...

I know all of this, but I know too that it's often the less protected wifi network that will be hacked in the first place (just because it's easier, and faster). A weak obstacle is always better than no obstacle at all, as long as you know it's weak. And I know that.
 
Yes, but the strength of your security comes from the chosen encryption and pass-phrase, not the MAC filtering.
 
When you protect against other MAC addresses, the attacker will take your MAC and you won't even see his real MAC in your logs. You are actually making your security worse.
 
SirDice: by the way, what do you think about my config? (except the passphrase of course, which is not the actual one)

nakal: MAC address is not trustable (it's a user input, like User Agent in HTTP). So if I found one attacker MAC address in my logs, it's probably forged.

That said, I'm not here to debate security, I just want that setting to work as it should, and understand why it's not taken into account.
 
MAC address is not trustable (it's a user input, like User Agent in HTTP). So if I found one attacker MAC address in my logs, it's probably forged.
Click to expand...

You cannot know it, maybe you are lucky (btw, even when someone uses fake MACs it might be possible to find his real MAC).

But if you only allow your own MACs, it will be surely forged and you never get any additional information about the attacker.
 
patpro said:
That said, I'm not here to debate security, I just want that setting to work as it should, and understand why it's not taken into account.
Click to expand...

Can you verify that the macaddr_acl option ever worked? It isn't mentioned in hostapd.conf(8) and I don't see any handling in the driver_freebsd.c glue. Based on that I suppose it never actually worked.
 
nakal said:
You cannot know it, maybe you are lucky (btw, even when someone uses fake MACs it might be possible to find his real MAC).

But if you only allow your own MACs, it will be surely forged and you never get any additional information about the attacker.
Click to expand...

I don't think luck has anything to do with security. And I'm pretty confident I can get additional information about an attacker, because I'm logging all the wifi traffic going through my AP.


bschmidt: I can't verify, because I don't want to re-install a FreeBSD 6.x. I've created my AP back in 2007, running FreeBSD 6.2 (back in the time, the hostapd.conf man page was just a place holder). I'm sure it worked at this time. Now that I'm running 8.x, it does not work anymore, so may be you're right, and it can't work.
 
michal: that's interesting, thank you. It looks like it's impossible to provide a file (MAC address list) :(
Did you try to provide mac:add XXXXXX in your ifconfig_wlan0 setting in rc.conf?
 
You must log in or register to reply here.
Back
Top