[CentOS-virt] OT: adding a wifi adapter to openvswitch

Thu Sep 24 12:08:43 UTC 2015
Dmitry E. Mikhailov <d.mikhailov at infocommunications.ru>

On 09/24/2015 04:47 PM, Alvin Starr wrote:
> Actually I do a similar thing.
Do you?

> I use a VM as my home/office firewall.
If your laptop/server/smth is permanently wired to the internet, there's 
no problem to bridge this interface to the VM.

But the topic starter wants to connect to the cable or wifi and still 
have a firewall VM. WiFi client connection with WPA(2) PSK encryption 
does allow only the station's MAC in the air.

Thus topic starter needs some hotplug event scripting, wpa_supplicant 
being started manually, fancy ebtables rules to make it work, some way 
to notice the fw WM that network config changed so it would rerun 
dhclient. Yea, and he should have some GUI/TUI to have it managed. No 
NetworkManager GUI here.

> It works quite well and I would argue it is as secure as your standard
> firewall based on something like openWRT running on dedicated hardware.
As aforementioned, it's a bit complicated setup. And if you're thinking 
security-wise, imagine you need T#r or some fancy VPN to get your job 
done AND due to some miniscule scripting glitch a SINGLE packet would 
fly out of your real IP address - you're busted.

To be self-assured during such an intimate workout, you'd want to have a 
physical cable to the physical router that's perforing the encryption 
job. No VPN/T#r/smth - no juice. Simple, bulletproof.

> I also run a wireless AP in bridged mode to allow local network access
> on an appliance.
Do you connect to the AP wirelessly as the client to have a firewall VM 
running over that WiFi?

Or have you connected the AP via cable to the server/router with fw VM 
to provide connectivity to other clients?

> There should be no reason that you could not put both on the same
> physical hardware.
You could. But it's hard to use in everyday life of typical usage. If 
the user is a sysadm/hacker who doesn't mind issuing several commands 
from the console upon every succesful wifi/wired connection - then welcome!

> As for the openvswitch original question.
> Openvswitch has an API that you can access to manage your traffic along
> with supporting Openflow.
> If you can get events from your wireless interface then you could write
> some programs to connect to the switch API.
I do want to see a neat solution please. May be I'm just too lazy.