I want to use pf.conf in what may be an unusual place. Not the usual sheild between private net and internet. It would be more as a logging service but will need some config to allow two private net machines to access it.
A network picture: INTERNET | DSLmodem | NETGEAR FW/router ----------------------------------- | | | | | | | m1 m2 m3 m4 m5 m6 m7 m6 is an obsd-3.8 machine now running current The ports on the Netgear are switched ports so not like a simple hub. There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. At any rate I want to enable that feature and send all traffic to the obsd machine. I want to see more of what is happening at the actual firewall. It has poor logging facilities. None in realtime. And the fastest is daily by mail unless you want to logon to the router and do the cumbersom scanning by eye with the sorry java based interface. I don't really want to accept any traffic from the INTERNET via NETGEAR on the obsd box but want to be able to log specific stuff as it hits the pf.conf filter. I want to start analyzing what is coming at me more. I will need to be able to access the obsd box via ssh from one other local (priv) lan machine and it will need to be accessable to the private side of the NETGEAR. I'm not skilled enough with pf.conf to set this up just from the examples provided in the PF section of FAQ. And man pages, But I'm hoping to gain enough knowledge about using PF to eventually replace the NETGEAR with an old beater running obsd or maybe even a soekris box. I hoped someone might provide a rough outline of what something like this would need to look like. How much of the boiler plate in the PF examples would apply, etc. Maybe including what things would have to be allowed for the obsd box to be a normal resident of the lan in terms of dns arp ssh access and so on. And how to block all in bound internet traffic but be able to log specific stuff. An example might be that I received 13000 hits over a 5 day period on an ssh port I'd left open at the firewall. It appears to be several dictionary attacks, carried out by some 15 unique IPs. that seemed pretty excessive and made me wonder what brought it on. And at least its in my syslog logs so I can work on it with all the normal unix tools. But I'm not really sure what goes on at the firewall since I've never really got too involved with working with the dos files it sends beyond scanning manually from time to time. They have lots of goofy tabs and dashes making script based scanning somewhat hazardous for a poorly skilled scripter. I've closed the ssh port of course but now I'm restricted to the poor logging of the NETGEAR. I'm not asking for actual rules but an outline of method and hints about rules.