Harry Putnam wrote: > I want to use pf.conf in what may be an unusual place. > > Not the usual sheild between private net and internet. > It would be more as a logging service but will need some config to > allow two private net machines to access it. > > A network picture: > > INTERNET > | > DSLmodem > | > NETGEAR FW/router > ----------------------------------- > | | | | | | | > m1 m2 m3 m4 m5 m6 m7 > > m6 is an obsd-3.8 machine now running current > > The ports on the Netgear are switched ports so not like a simple > hub. > > There is a facility on the NETGEAR to send all traffic to an inside > machine for whatever reason. Its called a DMZ Server although I don't > think that is the normal usage of DMZ, but not experienced enough to > know for sure.
This might not work the way you are expecting it to. What you really want is a device that can mirror a switched port. > At any rate I want to enable that feature and send all traffic to the > obsd machine. I want to see more of what is happening at the actual > firewall. It has poor logging facilities. None in realtime. And the > fastest is daily by mail unless you want to logon to the router and do > the cumbersom scanning by eye with the sorry java based interface. > > I don't really want to accept any traffic from the INTERNET via > NETGEAR on the obsd box but want to be able to log specific stuff as > it hits the pf.conf filter. I want to start analyzing what is coming > at me more. I know this doesn't answer your question, but, IMHO, I suggest replacing that consumer class Netgear device with your OpenBSD box and be done with this "whole mess"--then you can do everything you laid out here with minimal complexity and far more flexibility.
