Hi Forrest,
Having the ossec-server in the internal system is actually the right way of doing it. To configure ossec to always do the blocking at the firewall, just change your active response configuration from "local" to "defined-agent" and give the agent_id of the firewall. Example (running all firewall-drop responses on the agent 003): <active-response> <command>firewall-drop</command> <location>defined-agent</location> <agent_id>003</agent_id> <level>6</level> <timeout>600</timeout> </active-response> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/8/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
I have a server and agent that I'm testing. The configuration is: agent = firewall server = internal system The internal system is being NAT'd to for mail and some other things. What I want to have happen is firewall rules get dropped in for the active-response, but they should be sent to the agent (firewall) not the server. I realize that's backwards about how it normally works; however, it seems to me that having the "server" on the peripheral network isn't the most secure way of doing this. I will reconfigure it all if necessary, if that's the only way this will really work well... Thanks.
