I want to use pf.conf in what may be an unusual place.
Not the usual sheild between private net and internet.
It would be more as a logging service but will need some config to
allow two private net machines to access it.
A network picture:
INTERNET
|
DSLmodem
|
NETGEAR FW/router
-----------------------------------
| | | | | | |
m1 m2 m3 m4 m5 m6 m7
m6 is an obsd-3.8 machine now running current
The ports on the Netgear are switched ports so not like a simple
hub.
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff as
it hits the pf.conf filter. I want to start analyzing what is coming
at me more.
I will need to be able to access the obsd box via ssh from one other local
(priv) lan machine and it will need to be accessable to the private
side of the NETGEAR.
I'm not skilled enough with pf.conf to set this up just from the
examples provided in the PF section of FAQ. And man pages, But I'm
hoping to gain enough knowledge about using PF to eventually replace
the NETGEAR with an old beater running obsd or maybe even a soekris
box.
I hoped someone might provide a rough outline of what something like
this would need to look like.
How much of the boiler plate in the PF examples would apply, etc.
Maybe including what things would have to be allowed for the obsd box
to be a normal resident of the lan in terms of dns arp ssh access and
so on. And how to block all in bound internet traffic but be able to
log specific stuff.
An example might be that I received 13000 hits over a 5 day period on
an ssh port I'd left open at the firewall. It appears to be several
dictionary attacks, carried out by some 15 unique IPs. that seemed
pretty excessive and made me wonder what brought it on.
And at least its in my syslog logs so I can work on it with all the
normal unix tools.
But I'm not really sure what goes on at the firewall since I've never
really got too involved with working with the dos files it sends beyond
scanning manually from time to time. They have lots of goofy tabs and
dashes making script based scanning somewhat hazardous for a poorly
skilled scripter.
I've closed the ssh port of course but now I'm restricted to the poor
logging of the NETGEAR.
I'm not asking for actual rules but an outline of method and hints
about rules.
