xref: /openbsd/etc/examples/hostapd.conf (revision fcd34d77) 
1# $OpenBSD: hostapd.conf,v 1.1 2014/07/11 16:36:35 deraadt Exp $
2# sample hostapd configuration file
3# see hostapd.conf(5)
4
5# "wavelan is a battle field"
6
7#
8# Macros
9#
10
11# Define macros for the interfaces to be used by hostapd. The "wlan"
12# interface is optional.
13wlan="ath0"
14wired="sis0"
15
16#
17# Tables
18#
19
20# Define the MAC addresses (BSSIDs) for your accesspoints in a table.
21table <myess> {
22	00:90:4b:0d:fd:c8,
23	00:02:6f:21:ea:8b
24}
25
26# Address masks are providing a simple way to match by MAC vendor ID.
27#
28# table <senao> { 00:02:6f:ff:ff:ff & ff:ff:ff:00:00:00 }
29
30#
31# Global options
32#
33
34# Comment this option to run hostapd in passive IAPP logging mode.
35set hostap interface $wlan
36
37# Use default radiotap mode.
38set hostap mode radiotap
39
40# Uncomment these options to jump to the next channel every 2 seconds.
41#set hostap hopper interface $wlan
42#set hostap hopper delay 2000
43
44# Use multicast (according to the revised standard).
45set iapp interface $wired
46set iapp mode multicast
47
48# The following mode is compatible to some pre-standard IAPP implementations
49#set iapp mode broadcast port 2313
50
51#
52# Event rules
53#
54
55# Log probe requests.
56hostap handle type management subtype probe request \
57    with iapp type radiotap
58
59# Log and annoy foreign accesspoints.
60#
61# This will be logged as well but the important thing is to
62# annoy other accesspoints in your wireless territory.
63hostap handle type data bssid !<myess> \
64    with frame type management subtype deauth reason auth expire \
65    from &bssid to ff:ff:ff:ff:ff:ff bssid &bssid
66
67# The first de-auth example will not work with some newer stuff, like
68# iwi(4)/ipw(4) "centrino", because they ignore management frames to
69# the broadcast address as a countermeasure against the "void11"
70# attack.
71#
72# hostap handle type data bssid !<myess> \
73#    with frame type management subtype deauth reason auth expire \
74#    from &bssid to &from bssid &bssid
75
76# Detect flooding of management frames except beacons.
77# This will detect some possible Denial of Service attacks
78# against the IEEE 802.11 protocol (like "void11").
79hostap handle skip type management subtype ! beacon \
80    with log \
81    rate 100 / 10 sec
82
83# Finally log any rogue accesspoints limited to every second.
84hostap handle skip type management subtype beacon bssid !<myess> \
85    with iapp type radiotap limit 1 sec
86
87