I agree with Jim. A firewall box should be exclusively a firewall, no matter how 'stout' it is. More components == more attack surface area. Not to mention the intricacies of interaction that might bollix the firewall's mechanisms in a non-repeatable way.
Better to put all analysis packages in another box, which may be realized as a Linux box, which Mark is more comfortable with. Or, you can also save on boxes by installing the analysis mechanisms as a VM, either through KVM or XenServer. Admittedly, the latter requires you to reformat a box, but IMO more stable because it does not have to rely on the stability of the Dom0 Linux. Just my 2 cents. Rgds, On 2011-02-03, Jim Pingle <[email protected]> wrote: > On 2/2/2011 11:35 AM, Mark Jones wrote: >> The Beta label on 2.0 is holding us back. (Also, last night I tried >> building 2.0 on 8.1 and it failed, but I don't even see any errors, nor do >> I know where they are squirreled away.) We are running on 7.2 with 1.2.3 >> and it works. What we are trying to do is add java and openfire so that >> we can run our IM client/setup on the pfsense box. >> >> The fact that portsnap isn't available to do that is a severe problem for >> us (or maybe it just keeps us from shooting our own foot). Is there some >> webpage that points out HOW to build an addon for pfsense so that we could >> do a private addon for java and openfire? >> >> I'd also like to move our log analysis/display tool to the pfsense box. >> It reads snort logs and squid proxy logs and tries to present a coherent >> view of what has happened yesterday. Right now it's almost pre-alpha and >> requires we suck the logs off the box and do the work elsewhere. We have >> a very stout box we are devoting to pfsense so it can carry this load. >> Any pointers on how you do this would be much appreciated. >> >> I can't find any pages that talk about how to build/package an addon for >> pfsense. This doesn't give any hints as to how to pull it off >> http://doc.pfsense.org/index.php/Packages#Specific_Package_Information >> >> PS: the code we use to display the logs is based on Django and runs in >> python (mod_wsgi, or mod_python), so that would be the next hurdle.... > > Sounds like a lot of stuff that doesn't belong on a firewall ;-) > > You don't need to build on a firewall, use the ports system on a full > 7.2 box and just run "make package-recursive" in the ports you want, > then copy the resulting .tbz files to the pfsense box and add them with > pkg_add. > > It's just like building packages for any FreeBSD system. > > You should really be pushing the logs off the firewall and onto a > dedicated box for that. You really want the firewall to be a firewall, > not a general purpose box. > > Though if you want to install all of that, you will be shooting yourself > in the foot in one way or another, so you'll be on your own there. > > You might at least look into the jailctl package so you can at least > segregate this stuff off into an area that is isolated from the main > firewall (and incidentally, you can get make and friends working inside > of a jail) - though I would still caution against doing any of the > things you're suggesting on a production firewall. It's an easy way to > turn a secure, stable firewall into an insecure, unstable > "one-box-fits-all" device. > > Jim > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
