Harry Putnam wrote: > "Melameth, Daniel D." <[EMAIL PROTECTED]> writes: > > > There is a facility on the NETGEAR to send all traffic to an > > > inside machine for whatever reason. Its called a DMZ Server > > > although I don't think that is the normal usage of DMZ, but not > > > experienced enough to know for sure. > > > > This might not work the way you are expecting it to. What you > > really want is a device that can mirror a switched port. > > Can you enlarge on this a bit... at least a good guess for google > stings.
Google for "port mirroring" or "spanned port." > > > At any rate I want to enable that feature and send all traffic to > > > the obsd machine. I want to see more of what is happening at the > > > actual firewall. It has poor logging facilities. None in > > > realtime. And the fastest is daily by mail unless you want to > > > logon to the router and do the cumbersom scanning by eye with the > > > sorry java based interface. > > > > > > I don't really want to accept any traffic from the INTERNET via > > > NETGEAR on the obsd box but want to be able to log specific stuff > > > as it hits the pf.conf filter. I want to start analyzing what is > > > coming at me more. > > > > I know this doesn't answer your question, but, IMHO, I suggest > > replacing that consumer class Netgear device with your OpenBSD box > > and be done with this "whole mess"--then you can do everything you > > laid out here with minimal complexity and far more flexibility. > > I'd be comfortable with that if I knew a little more about pf usage. > I'm not experienced with it enough to be sure I'm not leaving some > nasty unexpected hole. Or some other novice error that could have > more repercussions than I want or know how to deal with. > > If taking the chicken way will allow me to learn more about pf and > enough to not do some stupid novice error that gets me hacked. I > think I'd prefer it. > > Is blocking all and logging specific traffice really hard to > accomplish? Outside of the nice PF guide on the OpenBSD site, for the most part, all you really need to begin with is three rules: # Address translation for machines on your LAN nat on $ext_if from $int_if:network to any -> ($ext_if) # Block and log all traffic block log all # Allow internal machines to use the Internet pass out on $ext_if proto { tcp, udp, icmp } all keep state This will block all incoming traffic with the exception of traffic replying to the requests of your workstations--which is likely what your Netgear is doing now. If you want to see all the traffic that pf is blocking in real time, just issue a simple 'tcpdump -i pflog0' and have fun. Granted, pf doesn't have a point and click web interface, but if you wanted that you probably wouldn't be using OpenBSD to begin with. Then again, it appears someone's taken pf (and FreeBSD) and put a pretty face on it at http://www.pfsense.com.