Harry Putnam wrote:
> "Melameth, Daniel D." <[EMAIL PROTECTED]> writes:
> > > There is a facility on the NETGEAR to send all traffic to an
> > > inside machine for whatever reason. Its called a DMZ Server
> > > although I don't think that is the normal usage of DMZ, but not
> > > experienced enough to know for sure.
> >
> > This might not work the way you are expecting it to. What you
> > really want is a device that can mirror a switched port.
>
> Can you enlarge on this a bit... at least a good guess for google
> stings.
Google for "port mirroring" or "spanned port."
> > > At any rate I want to enable that feature and send all traffic to
> > > the obsd machine. I want to see more of what is happening at the
> > > actual firewall. It has poor logging facilities. None in
> > > realtime. And the fastest is daily by mail unless you want to
> > > logon to the router and do the cumbersom scanning by eye with the
> > > sorry java based interface.
> > >
> > > I don't really want to accept any traffic from the INTERNET via
> > > NETGEAR on the obsd box but want to be able to log specific stuff
> > > as it hits the pf.conf filter. I want to start analyzing what is
> > > coming at me more.
> >
> > I know this doesn't answer your question, but, IMHO, I suggest
> > replacing that consumer class Netgear device with your OpenBSD box
> > and be done with this "whole mess"--then you can do everything you
> > laid out here with minimal complexity and far more flexibility.
>
> I'd be comfortable with that if I knew a little more about pf usage.
> I'm not experienced with it enough to be sure I'm not leaving some
> nasty unexpected hole. Or some other novice error that could have
> more repercussions than I want or know how to deal with.
>
> If taking the chicken way will allow me to learn more about pf and
> enough to not do some stupid novice error that gets me hacked. I
> think I'd prefer it.
>
> Is blocking all and logging specific traffice really hard to
> accomplish?
Outside of the nice PF guide on the OpenBSD site, for the most part, all
you really need to begin with is three rules:
# Address translation for machines on your LAN
nat on $ext_if from $int_if:network to any -> ($ext_if)
# Block and log all traffic
block log all
# Allow internal machines to use the Internet
pass out on $ext_if proto { tcp, udp, icmp } all keep state
This will block all incoming traffic with the exception of traffic
replying to the requests of your workstations--which is likely what your
Netgear is doing now. If you want to see all the traffic that pf is
blocking in real time, just issue a simple 'tcpdump -i pflog0' and have
fun.
Granted, pf doesn't have a point and click web interface, but if you
wanted that you probably wouldn't be using OpenBSD to begin with. Then
again, it appears someone's taken pf (and FreeBSD) and put a pretty face
on it at http://www.pfsense.com.
