Dan and Harry, Agreed. A consumer-class Netgear device will not be the best choice, as it's got an underpowered CPU and has more than enough issues with its configuration. While many SOHO routers can output to syslog, unless you spend the money for a higher-end product like a Juniper Netscreen, or retrofit a Linksys access point with a third-party Linux distribution, you're not going to get much in the ways of customization.
However, using pf, snort, and outputting pf and snort to syslog will give you a clearer picture of what's going on. The tools are more straightforward and better-documented (IMHO) than their Linux-based counterparts. If you want to see everything real-time, you can use a tool like Kiwi Syslog Daemon or syslog-ng to collect the log messages from Snort (which is real-time) and pf (which isn't real time in my config - once every 5 minutes). The logs are also very straightforward to read when you use this method. Plus, pf is a lot more flexible than commercial products, and can run on a $50 PII with a couple of eBay special Realtek 8139 NICs comfortably. More importantly, you'll learn a lot more about what's going on with your network, and not only what's coming onto it, but what is also leaving it. Mitch -----Original Message----- From: [EMAIL PROTECTED] on behalf of Melameth, Daniel D. Sent: Fri 2/24/2006 10:12 PM To: misc@openbsd.org Subject: Re: pf.conf to log specific but block all Harry Putnam wrote: > I want to use pf.conf in what may be an unusual place. > > Not the usual sheild between private net and internet. > It would be more as a logging service but will need some config to > allow two private net machines to access it. > > A network picture: > > INTERNET > | > DSLmodem > | > NETGEAR FW/router > ----------------------------------- > | | | | | | | > m1 m2 m3 m4 m5 m6 m7 > > m6 is an obsd-3.8 machine now running current > > The ports on the Netgear are switched ports so not like a simple > hub. > > There is a facility on the NETGEAR to send all traffic to an inside > machine for whatever reason. Its called a DMZ Server although I don't > think that is the normal usage of DMZ, but not experienced enough to > know for sure. This might not work the way you are expecting it to. What you really want is a device that can mirror a switched port. > At any rate I want to enable that feature and send all traffic to the > obsd machine. I want to see more of what is happening at the actual > firewall. It has poor logging facilities. None in realtime. And the > fastest is daily by mail unless you want to logon to the router and do > the cumbersom scanning by eye with the sorry java based interface. > > I don't really want to accept any traffic from the INTERNET via > NETGEAR on the obsd box but want to be able to log specific stuff as > it hits the pf.conf filter. I want to start analyzing what is coming > at me more. I know this doesn't answer your question, but, IMHO, I suggest replacing that consumer class Netgear device with your OpenBSD box and be done with this "whole mess"--then you can do everything you laid out here with minimal complexity and far more flexibility.
