Strange wifi problem

Discussion in 'LnS English Forum' started by SimonW, Nov 19, 2005.

Thread Status:
Not open for further replies.
  1. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    Hi,

    I've just purcahed a new wireless router (Netgear WGt624) and set up wpa security. To start with I got no web access so I downloaded and added the secured wifi rule from the LnS website, which initially solved my connectivity issues - however after around 10 minutes it seems as if some kind of additional re-authentication occurs and my connection is being blocked to the router by the final 'All other packets' rule. The log in the attached screenshot shows that ETH 888E entries are being blocked even though the wifi rule is present and active (as this allowed me my initial access).


    After hunting around I came across this thread: https://www.wilderssecurity.com/showthread.php?t=99065 which mentions another rule which authorizes non IP and non ARP ethernet types (other_eth_protocols.rie) and once I added this rule everything is now working correctly again.

    I don't know if anyone can tell me why this happens or if I could have altered just the raw wifi rule alone and solved my problem?


    Many thanks
    Simon W
     

    Attached Files:

  2. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    and here is the internet rules list showing both rules active:
     

    Attached Files:

  3. JF

    JF LnS Support

    Joined:
    Jan 12, 2003
    Posts:
    294
    Simon,

    I propose you to remove both rules and download the latest WiFi rule from here.

    http://www.looknstop.com/En/rules/rules.htm#wifi

    Here is the explanation of the problem you faced:

    The first rule in your list authorizes any non IP and non ARP ethernet frame, which includes the 0x888E ethernet frames used by the EAP protocol used by WPA WiFi security. This rule is fine but a bit too wide as it opens more ethernet frame types than the single 0x888E.

    The second rule in your list is supposed to authorize only 0x888E ethernet frames. Actually, there was a mistake in this rule which authorizes 0x888E ethernet frames, but only between two given ethernet address to be edited in the rule. If the source and destination MAC address of an ethernet frame do not match the address set in the rule, the ethernet frame is blocked. As editing these MAC address requires setting up the raw rule plugin, this is not something easy for most users and we prefer not to propose such a complex rule to import.
    So, the wifi_secure.rie file has been updated to only authorize 0x888E ethernet frames (both inbound and outbound), without any filtering on source/dest MAC address.

    I hope this latest rule will be fine and I am sorry for the issue you faced.

    Regards,
    JF
     
  4. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    Many thanks for the updated wifi rule and the detailed explanation JF ! :)

    I have downloaded the new .rie file and will see how I get on - I'll report back in the next day or so.


    Regards
    Simon
     
  5. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    I can confirm that everthting is working perfectly with the updated wifi rule!!


    Thanks
    Simon
     
  6. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    JF,

    After updating my WLAN-client card driver I also see blocks of "0x888E ethernet" packets. However, on my system I only get 3 initial blocks and thats it! No more of these logs after that. Since my WiFi connection seems to work just fine, do I need to download/activate your latest WiFi rule? Or is this rule just made to keep the log file "clean" ??

    Thanks,
    Thomas :)
     
  7. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Just be sure that everything will function in a week's time too and download the rule. I got terrible problems with WiFi after some time and this rule solved it all. Better be sure than sorry :)
     
  8. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    JF,
    Where can I get some information on the "raw rule plugin"? I would like to edit the MAC address fields for your "WiFi secured connection rule".
    I assume, this can not be done with the "default rule edition"...

    Thanks,
    Thomas :)



    P.S.: Edwin: Thanks for your advice :)
     
  9. JF

    JF LnS Support

    Joined:
    Jan 12, 2003
    Posts:
    294
    Re: Strange wifi problem - Raw rule edition of MAC address

    Thomas,

    Here are generic explanations on rule edition plugins.
    http://www.looknstop.com/En/plugin_ruleedition_use.htm

    And here are some more information on the raw rules edition plugin.

    The raw rules edition plugin provides packet filtering capabilities defined this way:
    - Up to 10 filters per raw rule. Each filter applies to a given field of a packet.
    - A given packet matches a rule is all field filters of the rule do match the corresponding fields of a packet.
    - Each filter applies to either inbound, outbound or inbound+outbound packets.
    - Each field filter is defined by a field offset and field values.
    - The field offset type may be either Ethernet, IP or TCP.
    - The field offset is also defined by an inbound and an outbound offset, i.e. a number of bytes relative to the first byte of the field (its position depends on the field type).
    - The field values allows specifying what particular packets will match the filter.
    - Depending on the filtering criteria (see below), one or two field values and possibly the field mask will be used.
    - The field size allows setting the number of bytes (1 to 6) of the field.
    - One of several filtering criteria may be set for each field filter. NA stands for Not Applicable, which means that the specific field filter is unused. The easiest criteria is EQUAL_VALUE1, which means that a packet will match the field filter if the corresponding bytes ("Field size" bytes starting from the "Field offset") are identical.

    The value display mode is helpful to edit some field in various formats (decimal, hexadecimal with byte split, decimal with byte split). For example IP and MAC address are easier to edit with byte split.

    To filter the MAC address of packets in addition to the 0x888E ethernet type, you may edit one rule applying to both directions and set:
    - Field 1 filter corresponding to the MAC address of the sender.
    (6 bytes size with 6 bytes offset relative to beginning of Ethernet frame)
    - Field 2 filter corresponding to the MAC address of the receiver.
    (6 bytes size with 0 bytes offset relative to beginning of Ethernet frame)
    For each field, set the filtering criteria to EQUAL_VALUE1 and set your own MAC address in the Value1 zone.

    I hope this is clear enough. Thank you in advance for your feedback.

    Regards,
    JF
     
    Last edited: Nov 29, 2005
  10. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Thanks a lot, JF !

    Thomas :)
     
Thread Status:
Not open for further replies.