Discussion:
pf.conf to log specific but block all
Harry Putnam
2006-02-25 02:58:11 UTC
Permalink
I want to use pf.conf in what may be an unusual place.

Not the usual sheild between private net and internet.
It would be more as a logging service but will need some config to
allow two private net machines to access it.

A network picture:

INTERNET
|
DSLmodem
|
NETGEAR FW/router
-----------------------------------
| | | | | | |
m1 m2 m3 m4 m5 m6 m7

m6 is an obsd-3.8 machine now running current

The ports on the Netgear are switched ports so not like a simple
hub.

There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.

At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.

I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff as
it hits the pf.conf filter. I want to start analyzing what is coming
at me more.

I will need to be able to access the obsd box via ssh from one other local
(priv) lan machine and it will need to be accessable to the private
side of the NETGEAR.

I'm not skilled enough with pf.conf to set this up just from the
examples provided in the PF section of FAQ. And man pages, But I'm
hoping to gain enough knowledge about using PF to eventually replace
the NETGEAR with an old beater running obsd or maybe even a soekris
box.

I hoped someone might provide a rough outline of what something like
this would need to look like.

How much of the boiler plate in the PF examples would apply, etc.

Maybe including what things would have to be allowed for the obsd box
to be a normal resident of the lan in terms of dns arp ssh access and
so on. And how to block all in bound internet traffic but be able to
log specific stuff.

An example might be that I received 13000 hits over a 5 day period on
an ssh port I'd left open at the firewall. It appears to be several
dictionary attacks, carried out by some 15 unique IPs. that seemed
pretty excessive and made me wonder what brought it on.

And at least its in my syslog logs so I can work on it with all the
normal unix tools.

But I'm not really sure what goes on at the firewall since I've never
really got too involved with working with the dos files it sends beyond
scanning manually from time to time. They have lots of goofy tabs and
dashes making script based scanning somewhat hazardous for a poorly
skilled scripter.

I've closed the ssh port of course but now I'm restricted to the poor
logging of the NETGEAR.

I'm not asking for actual rules but an outline of method and hints
about rules.
Melameth, Daniel D.
2006-02-25 03:12:46 UTC
Permalink
Post by Harry Putnam
I want to use pf.conf in what may be an unusual place.
Not the usual sheild between private net and internet.
It would be more as a logging service but will need some config to
allow two private net machines to access it.
INTERNET
|
DSLmodem
|
NETGEAR FW/router
-----------------------------------
| | | | | | |
m1 m2 m3 m4 m5 m6 m7
m6 is an obsd-3.8 machine now running current
The ports on the Netgear are switched ports so not like a simple
hub.
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
This might not work the way you are expecting it to. What you really
want is a device that can mirror a switched port.
Post by Harry Putnam
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff as
it hits the pf.conf filter. I want to start analyzing what is coming
at me more.
I know this doesn't answer your question, but, IMHO, I suggest replacing
that consumer class Netgear device with your OpenBSD box and be done
with this "whole mess"--then you can do everything you laid out here
with minimal complexity and far more flexibility.
Harry Putnam
2006-02-25 03:36:42 UTC
Permalink
Post by Melameth, Daniel D.
Post by Harry Putnam
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
This might not work the way you are expecting it to. What you really
want is a device that can mirror a switched port.
Can you enlarge on this a bit... at least a good guess for google stings.
Post by Melameth, Daniel D.
Post by Harry Putnam
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff as
it hits the pf.conf filter. I want to start analyzing what is coming
at me more.
I know this doesn't answer your question, but, IMHO, I suggest replacing
that consumer class Netgear device with your OpenBSD box and be done
with this "whole mess"--then you can do everything you laid out here
with minimal complexity and far more flexibility.
I'd be comfortable with that if I knew a little more about pf usage.
I'm not experienced with it enough to be sure I'm not leaving some
nasty unexpected hole. Or some other novice error that could have
more repercussions than I want or know how to deal with.

If taking the chicken way will allow me to learn more about pf and
enough to not do some stupid novice error that gets me hacked. I
think I'd prefer it.

Is blocking all and logging specific traffice really hard to
accomplish?
Harry Putnam
2006-02-25 14:43:55 UTC
Permalink
Post by Melameth, Daniel D.
Post by Harry Putnam
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
This might not work the way you are expecting it to. What you really
want is a device that can mirror a switched port.
I've done some googling now as you suggested and what I'm seeing is
this mirroring facility is only available on high end
switches/routers.

Not ones in my price range of $2-300. Plus, I already have this
NETGEAR so loath to spend another pile of cash. And I know from
experimenting a year or so ago that enabling what they call DMZ
functionality will show me the traffic I want to see on whatever
machine I aim it at.

And finally, the objective here is to learn enough PF usage to be
confident I'm not opening my box for public perusal. So not willing
to spend more on hardware. Except maybe a soekris box but then I'm
back to needing to gain some confidence thru experience again.
Mitch Parker
2006-02-25 03:45:46 UTC
Permalink
Dan and Harry,

Agreed. A consumer-class Netgear device will not be the best choice, as it's
got an underpowered CPU and has more than enough issues with its
configuration. While many SOHO routers can output to syslog, unless you spend
the money for a higher-end product like a Juniper Netscreen, or retrofit a
Linksys access point with a third-party Linux distribution, you're not going
to get much in the ways of customization.

However, using pf, snort, and outputting pf and snort to syslog will give you
a clearer picture of what's going on. The tools are more straightforward and
better-documented (IMHO) than their Linux-based counterparts. If you want to
see everything real-time, you can use a tool like Kiwi Syslog Daemon or
syslog-ng to collect the log messages from Snort (which is real-time) and pf
(which isn't real time in my config - once every 5 minutes). The logs are
also very straightforward to read when you use this method.

Plus, pf is a lot more flexible than commercial products, and can run on a $50
PII with a couple of eBay special Realtek 8139 NICs comfortably.

More importantly, you'll learn a lot more about what's going on with your
network, and not only what's coming onto it, but what is also leaving it.

Mitch





-----Original Message-----
From: owner-***@openbsd.org on behalf of Melameth, Daniel D.
Sent: Fri 2/24/2006 10:12 PM
To: ***@openbsd.org
Subject: Re: pf.conf to log specific but block all
Post by Harry Putnam
I want to use pf.conf in what may be an unusual place.
Not the usual sheild between private net and internet.
It would be more as a logging service but will need some config to
allow two private net machines to access it.
INTERNET
|
DSLmodem
|
NETGEAR FW/router
-----------------------------------
| | | | | | |
m1 m2 m3 m4 m5 m6 m7
m6 is an obsd-3.8 machine now running current
The ports on the Netgear are switched ports so not like a simple
hub.
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
This might not work the way you are expecting it to. What you really
want is a device that can mirror a switched port.
Post by Harry Putnam
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff as
it hits the pf.conf filter. I want to start analyzing what is coming
at me more.
I know this doesn't answer your question, but, IMHO, I suggest replacing
that consumer class Netgear device with your OpenBSD box and be done
with this "whole mess"--then you can do everything you laid out here
with minimal complexity and far more flexibility.
Melameth, Daniel D.
2006-02-25 04:13:28 UTC
Permalink
Post by Harry Putnam
Post by Melameth, Daniel D.
Post by Harry Putnam
There is a facility on the NETGEAR to send all traffic to an
inside machine for whatever reason. Its called a DMZ Server
although I don't think that is the normal usage of DMZ, but not
experienced enough to know for sure.
This might not work the way you are expecting it to. What you
really want is a device that can mirror a switched port.
Can you enlarge on this a bit... at least a good guess for google
stings.
Google for "port mirroring" or "spanned port."
Post by Harry Putnam
Post by Melameth, Daniel D.
Post by Harry Putnam
At any rate I want to enable that feature and send all traffic to
the obsd machine. I want to see more of what is happening at the
actual firewall. It has poor logging facilities. None in
realtime. And the fastest is daily by mail unless you want to
logon to the router and do the cumbersom scanning by eye with the
sorry java based interface.
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff
as it hits the pf.conf filter. I want to start analyzing what is
coming at me more.
I know this doesn't answer your question, but, IMHO, I suggest
replacing that consumer class Netgear device with your OpenBSD box
and be done with this "whole mess"--then you can do everything you
laid out here with minimal complexity and far more flexibility.
I'd be comfortable with that if I knew a little more about pf usage.
I'm not experienced with it enough to be sure I'm not leaving some
nasty unexpected hole. Or some other novice error that could have
more repercussions than I want or know how to deal with.
If taking the chicken way will allow me to learn more about pf and
enough to not do some stupid novice error that gets me hacked. I
think I'd prefer it.
Is blocking all and logging specific traffice really hard to
accomplish?
Outside of the nice PF guide on the OpenBSD site, for the most part, all
you really need to begin with is three rules:


# Address translation for machines on your LAN
nat on $ext_if from $int_if:network to any -> ($ext_if)

# Block and log all traffic
block log all

# Allow internal machines to use the Internet
pass out on $ext_if proto { tcp, udp, icmp } all keep state


This will block all incoming traffic with the exception of traffic
replying to the requests of your workstations--which is likely what your
Netgear is doing now. If you want to see all the traffic that pf is
blocking in real time, just issue a simple 'tcpdump -i pflog0' and have
fun.

Granted, pf doesn't have a point and click web interface, but if you
wanted that you probably wouldn't be using OpenBSD to begin with. Then
again, it appears someone's taken pf (and FreeBSD) and put a pretty face
on it at http://www.pfsense.com.
Harry Putnam
2006-02-25 05:13:33 UTC
Permalink
"Melameth, Daniel D." <***@mba-cpa.com> writes:

Thanks for the nifty summary. I want to pester you just a little more
then I'll get to work on this and see if I get really stuck
somewhere.
Post by Melameth, Daniel D.
# Address translation for machines on your LAN
nat on $ext_if from $int_if:network to any -> ($ext_if)
This looks like its designed to allow my other boxes to be (NATed) to
from the open bsd box. But that won't be happening. That happens at
the netgear right now. I'm only wanting to aim the same network
traffic at the obsd box as hits the netgear. Not actually do anything
with it such as NATing. (only log or handle OBSD boxes own traffic
to/from internet)

I haven't googled on the mirror thing you mentioned yet so maybe I'm
not understanding what will happen when I enable sending traffic to
obsd from Netgear box.
Post by Melameth, Daniel D.
# Block and log all traffic
block log all
Well yeah, but this can get to be a very lot of data very soon. I'd like
to see just one general example of blocking all but logging only say
ssh or a few other specific things. In my tinkerings it appeared that
it matters a lot where the log flag appears in the syntax.
Post by Melameth, Daniel D.
# Allow internal machines to use the Internet
pass out on $ext_if proto { tcp, udp, icmp } all keep state
Again this won't be happening for the other machines but I kind of
figured something like this would be necessary for the OBSD box
itself.

This all reminded me I meant to ask one thing about networking this.

My net is currently all on 192.168.0/24. I'm wondering if this can
all be done still in that network. That is, set both nics on the obsd
box to that network. Where one side talks to the NETGEAR and the
other talks to the rest of the lan.

The first few rules in example1 from FAQ/PF. Appear to be able to be
applied to make that happen.

Some vars first:
$ext_if=rl0 (192.168.0.19)
$int_if=dc0 (192.168.0.18)
$priv_nets=192.168.0/24

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

So some kind of adjustment would have to happen here since the NETGEAR
inside IF talking to obsd outside IF would both be $priv_nets.

I'm thinking I could just use actual IPs:

(NETGEAR and OBSD)
sel_hosts = "{ 192.168.0.20, 192.168.0.19 }"

nosel_hosts =
"{ 192.168.0.4, 192.168.0.5 [...] }"

(Keep everybody but NETGEAR and OBSD box [sel_hosts] out of $ext_if
traffic)

block drop in quick on $ext_if from $nosel_hosts to any
block drop out quick on $ext_if from any to $nosel_hosts

But I'm getting out of my league here already...
Melameth, Daniel D.
2006-02-25 14:28:39 UTC
Permalink
Post by Harry Putnam
Thanks for the nifty summary. I want to pester you just a little more
then I'll get to work on this and see if I get really stuck
somewhere.
Sounds good ;-) .
Post by Harry Putnam
Post by Melameth, Daniel D.
# Address translation for machines on your LAN
nat on $ext_if from $int_if:network to any -> ($ext_if)
This looks like its designed to allow my other boxes to be (NATed) to
from the open bsd box. But that won't be happening. That happens at
the netgear right now. I'm only wanting to aim the same network
traffic at the obsd box as hits the netgear. Not actually do anything
with it such as NATing. (only log or handle OBSD boxes own traffic
to/from internet)
All bets are off if you don't replace the Netgear with OpenBSD.
Post by Harry Putnam
I haven't googled on the mirror thing you mentioned yet so maybe I'm
not understanding what will happen when I enable sending traffic to
obsd from Netgear box.
Post by Melameth, Daniel D.
# Block and log all traffic
block log all
Well yeah, but this can get to be a very lot of data very soon. I'd
like to see just one general example of blocking all but logging only
say ssh or a few other specific things. In my tinkerings it appeared
that it matters a lot where the log flag appears in the syntax.
On a consumer-class Internet connection, I don't expect too much.
However, the following should only log ssh:

# Block all traffic and block and log ssh
block all
block in log on $ext_if inet proto tcp from any to $ext_if port ssh
Post by Harry Putnam
Post by Melameth, Daniel D.
# Allow internal machines to use the Internet
pass out on $ext_if proto { tcp, udp, icmp } all keep state
Again this won't be happening for the other machines but I kind of
figured something like this would be necessary for the OBSD box
itself.
You're on your own if you want to keep the Netgear as your bastion host
to the Internet. I understand you don't feel comfortable putting the
OpenBSD box there yet, but that's the only scenario I'll likely spend my
time providing assistance with.
Post by Harry Putnam
This all reminded me I meant to ask one thing about networking this.
My net is currently all on 192.168.0/24. I'm wondering if this can
all be done still in that network. That is, set both nics on the obsd
box to that network. Where one side talks to the NETGEAR and the
other talks to the rest of the lan.
While you can do this, here's where I'll stop with my reply as anything
beyond this is somewhat different from the example ruleset in the PF
guide and might become confusing for you. However, if you really don't
want to use the OpenBSD machine as a bastion host, I recommend just
using one NIC, as the "external" NIC, and going from there--someone else
on the list is more than welcome to chime in further.
Post by Harry Putnam
The first few rules in example1 from FAQ/PF. Appear to be able to be
applied to make that happen.
$ext_if=rl0 (192.168.0.19)
$int_if=dc0 (192.168.0.18)
$priv_nets=192.168.0/24
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
So some kind of adjustment would have to happen here since the NETGEAR
inside IF talking to obsd outside IF would both be $priv_nets.
(NETGEAR and OBSD)
sel_hosts = "{ 192.168.0.20, 192.168.0.19 }"
nosel_hosts =
"{ 192.168.0.4, 192.168.0.5 [...] }"
(Keep everybody but NETGEAR and OBSD box [sel_hosts] out of $ext_if
traffic)
block drop in quick on $ext_if from $nosel_hosts to any
block drop out quick on $ext_if from any to $nosel_hosts
But I'm getting out of my league here already...
Harry Putnam
2006-02-25 14:53:15 UTC
Permalink
Post by Melameth, Daniel D.
On a consumer-class Internet connection, I don't expect too much.
That is what got me going on this... By negligence I'd left ssh open
after coming home from a trip where I had it open for connectiong to
home machine. Normally I turn it back off when I'm home.

I saw over a 5 day period some 13,000 hits on ssh port. Apparently
some half configured dictionary attacks. I say half configured
because the attemted user names don't seem to be in any recognizable
order. My passwords are good so I didn't get too worried but it did
cause me to wonder what is going on that my ssh port got so
interesting suddenly.

Of coures I turned it off, but that leaves me with the sorry logging
facilities of the NETGEAR
Post by Melameth, Daniel D.
# Block all traffic and block and log ssh
block all
block in log on $ext_if inet proto tcp from any to $ext_if port ssh
Thanks, thats the one I was stumbling around with.

I read your comments about further help and want to thank you for the
help already given. I think it may be all I needed to get this done.

But I'll be back to pester people once I've gotten up my nerve and put
the OBSD box up to the plate.
knitti
2006-02-25 21:22:06 UTC
Permalink
Post by Harry Putnam
Post by Melameth, Daniel D.
On a consumer-class Internet connection, I don't expect too much.
That is what got me going on this... By negligence I'd left ssh open
after coming home from a trip where I had it open for connectiong to
home machine. Normally I turn it back off when I'm home.
I saw over a 5 day period some 13,000 hits on ssh port. Apparently
some half configured dictionary attacks. I say half configured
because the attemted user names don't seem to be in any recognizable
order. My passwords are good so I didn't get too worried but it did
cause me to wonder what is going on that my ssh port got so
interesting suddenly.
you worry too much. either choose good passwords, or better, setup
login with ssh-keys only. its worth reading and googling for maybe
an hour or two, if you're not familiar with it. if this is in place, you don't
have to worry, and you also don't have to log connections to your ssh
port.


--knitti
Joachim Schipper
2006-02-25 14:51:32 UTC
Permalink
Post by Harry Putnam
I want to use pf.conf in what may be an unusual place.
Not the usual sheild between private net and internet.
It would be more as a logging service but will need some config to
allow two private net machines to access it.
INTERNET
|
DSLmodem
|
NETGEAR FW/router
-----------------------------------
| | | | | | |
m1 m2 m3 m4 m5 m6 m7
m6 is an obsd-3.8 machine now running current
The ports on the Netgear are switched ports so not like a simple
hub.
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
That would probably send all outside-initiated traffic to your OpenBSD
box, from the sound of it. I.e., you will only see the hacks the Netgear
would have stopped anyway.
Post by Harry Putnam
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
However, if I read this, you also want to see the traffic to/from
m[1-5,7].
Post by Harry Putnam
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff as
it hits the pf.conf filter. I want to start analyzing what is coming
at me more.
I will need to be able to access the obsd box via ssh from one other local
(priv) lan machine and it will need to be accessable to the private
side of the NETGEAR.
I'm not skilled enough with pf.conf to set this up just from the
examples provided in the PF section of FAQ. And man pages, But I'm
hoping to gain enough knowledge about using PF to eventually replace
the NETGEAR with an old beater running obsd or maybe even a soekris
box.
I hoped someone might provide a rough outline of what something like
this would need to look like.
That is possible, but some things to consider:
1. You are logging stuff which is blocked by any firewall, NAT
router, or even Windows-based software firewall a la ZoneAlarm. In other
words, stuff that couldn't ever harm you unless you are being very, very
clueless (and are running Windows). And, most likely, stuff that isn't
very interesting either.
2. Unless you go with a full honeypot setup (see
www.honeynet.com or Google), you are not likely to see more than a SYN
packet being dropped by pf.
3. There is some stuff that *can* harm you - notably, hacks in
response to connections initiated by the machines behind your firewall.
The most common form would be yet another problem in a web browser. Your
proposed setup would not catch this.
4. Unless you are willing to spend *a lot* of time on the
honeypot, reading a good security list (Bugtraq, Full-Disclosure,
whatever) will tell you more about where the problems are than reading
pf logs.

If you *really* want to know what attacks are out there, the following
setup would make more sense:

INTERNET
|
OpenBSD w/ snort
|
Netgear (optional; OpenBSD could filter, too)
|
- clients -

Of course, one should keep in mind that Snort has its limitations, and
should be kept up to date. It has three uses:
1. If a new vulnerability is found, and no patch is available,
and a Snort signature *is* available, Snort could tell you what machines
to disconnect.
2. If Snort catches a return packet that looks like a
compromised machine (for instance, a reverse shell), Snort could, again,
tell you what machines to disconnect.
3. If Snort is installed in IPS mode (ISTR this being only
possible on Linux, with some people working on a pf (*BSD) version but
not yet having production-quality code); it's called Snort-inline), it
could conceivably block attacks on unpatched machines.

That means that, for instance, the recent WMF vulnerability would have
been neatly blocked by this setup (or not - I recall quite a bit of
doubt about many signatures, as quite a few were by-passable). However,
almost all vulnerabilities in the *nix world are disclosed together with
the patch to fix them, and patching is typically faster than getting
Snort to recognize them.

Not to mention the fact that there exist many, many ways to confuse
('evade') Snort (not that it's impossible to block some/most of them,
but new ones are always springing up and it's not exactly easy), and
that Snort itself has the occasional vulnerability, too.

And as to reading what attacks your firewall has stopped today - it will
be neat for a day or two, but you'll discover there are more useful
things to be doing quickly enough.

Not to mention that logging everything adds up after a while, in regards
to disk space.

All in all, reading the logs daily (which tell you what happened to the
stuff that actually got through the firewall) is much more useful. And
if you really want more, install Snort. Telling you what packets have
been blocked by the firewall is only good for gathering statistics to
impress management into letting you buy more toys. Which is a worthy
goal, but not a misc@ subject...

Joachim
Harry Putnam
2006-02-25 16:16:58 UTC
Permalink
Post by Joachim Schipper
Post by Harry Putnam
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
That would probably send all outside-initiated traffic to your OpenBSD
box, from the sound of it. I.e., you will only see the hacks the Netgear
would have stopped anyway.
Yeah, that what I'm after. As you say further along that will get
boring quickly but right now I'm interested to see what is happening
at my ssh port. I received 13,000 hits on it over a 5 day period
after leaving it open (but with good password) inadvertantly.
Post by Joachim Schipper
Post by Harry Putnam
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
However, if I read this, you also want to see the traffic to/from
m[1-5,7].
No, I mean yes, but not with current subject of setting up obsd in
the way I've been asking about.

[...]
Post by Joachim Schipper
Post by Harry Putnam
I hoped someone might provide a rough outline of what something like
this would need to look like.
[...]
Post by Joachim Schipper
3. There is some stuff that *can* harm you - notably, hacks in
response to connections initiated by the machines behind your firewall.
The most common form would be yet another problem in a web browser. Your
proposed setup would not catch this.
4. Unless you are willing to spend *a lot* of time on the
honeypot, reading a good security list (Bugtraq, Full-Disclosure,
whatever) will tell you more about where the problems are than reading
pf logs.
Yes, as you've noted very time consuming and probably a bit over my
head as well.
Post by Joachim Schipper
All in all, reading the logs daily (which tell you what happened to
the stuff that actually got through the firewall) is much more
useful. And if you really want more, install Snort. Telling you what
packets have been blocked by the firewall is only good for gathering
statistics to impress management into letting you buy more
Well as you've noted, the firewall is turning back the real harmfull
stuff, unless I get really stupid inside. (not unheard of here).

And being able to read and understand what I'm seeing about traffic
coming thru is at present largely over my thick skull.

The windows machines inside, like my wifes and 2 that are heavy gauge
video edit crunchers, are likely to be the destinations of the kind of
stuff you mentioned, but my main desktop is a gentoo linux box running
IPtables so I do get to see that traffic.

I'm hoping to gain enough from the setup I've asked about so that
skull factor gets trimmed down a bit. And eventually setup the OBSD
box as you and others have suggested. Between Internet and inside net.
Joachim Schipper
2006-02-26 12:30:59 UTC
Permalink
Post by Harry Putnam
Post by Joachim Schipper
Post by Harry Putnam
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
That would probably send all outside-initiated traffic to your OpenBSD
box, from the sound of it. I.e., you will only see the hacks the Netgear
would have stopped anyway.
Yeah, that what I'm after. As you say further along that will get
boring quickly but right now I'm interested to see what is happening
at my ssh port. I received 13,000 hits on it over a 5 day period
after leaving it open (but with good password) inadvertantly.
Oh, SSH scans are all over the net. Setup private keys for login, and
only private keys. Add S/KEY capability, if you want to be able to login
without carrying a floppy around.

SSH is open on all my machines, and - except for one - accepts only
private keys (the last one also accepts S/KEY, and functions as a login
station for when I'm on the road).
Post by Harry Putnam
Post by Joachim Schipper
Post by Harry Putnam
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
However, if I read this, you also want to see the traffic to/from
m[1-5,7].
No, I mean yes, but not with current subject of setting up obsd in
the way I've been asking about.
[...]
Post by Joachim Schipper
Post by Harry Putnam
I hoped someone might provide a rough outline of what something like
this would need to look like.
[...]
Post by Joachim Schipper
3. There is some stuff that *can* harm you - notably, hacks in
response to connections initiated by the machines behind your firewall.
The most common form would be yet another problem in a web browser. Your
proposed setup would not catch this.
4. Unless you are willing to spend *a lot* of time on the
honeypot, reading a good security list (Bugtraq, Full-Disclosure,
whatever) will tell you more about where the problems are than reading
pf logs.
Yes, as you've noted very time consuming and probably a bit over my
head as well.
Post by Joachim Schipper
All in all, reading the logs daily (which tell you what happened to
the stuff that actually got through the firewall) is much more
useful. And if you really want more, install Snort. Telling you what
packets have been blocked by the firewall is only good for gathering
statistics to impress management into letting you buy more
Well as you've noted, the firewall is turning back the real harmfull
stuff, unless I get really stupid inside. (not unheard of here).
And being able to read and understand what I'm seeing about traffic
coming thru is at present largely over my thick skull.
The windows machines inside, like my wifes and 2 that are heavy gauge
video edit crunchers, are likely to be the destinations of the kind of
stuff you mentioned, but my main desktop is a gentoo linux box running
IPtables so I do get to see that traffic.
I'm hoping to gain enough from the setup I've asked about so that
skull factor gets trimmed down a bit. And eventually setup the OBSD
box as you and others have suggested. Between Internet and inside net.
Well, doing what you want to do isn't too useful, but quite possible.

Make the OBSD machine the so-called DMZ server on the Netgear. Use a
pf.conf like the following:

set skip on { lo0 }

# This is the default, but set it explicitly - there's no reason to
# return anything
set block-policy drop

block in log
pass out keep state

Then run pflogd(8). You can now analyze the traffic from /var/log/pflog,
using tcpdump(8).

For added points, install Snort. It will not catch much, seeing as to
how outsiders will not be able to establish many connections, but it's a
good exercise if you want to go with the setup I proposed earlier, when
you are more confident.

Joachim

Loading...