On Fri, Feb 24, 2006 at 08:58:11PM -0600, Harry Putnam wrote:
> I want to use pf.conf in what may be an unusual place.
>
> Not the usual sheild between private net and internet.
> It would be more as a logging service but will need some config to
> allow two private net machines to access it.
>
> A network picture:
>
> INTERNET
> |
> DSLmodem
> |
> NETGEAR FW/router
> -----------------------------------
> | | | | | | |
> m1 m2 m3 m4 m5 m6 m7
>
> m6 is an obsd-3.8 machine now running current
>
> The ports on the Netgear are switched ports so not like a simple
> hub.
>
> There is a facility on the NETGEAR to send all traffic to an inside
> machine for whatever reason. Its called a DMZ Server although I don't
> think that is the normal usage of DMZ, but not experienced enough to
> know for sure.
That would probably send all outside-initiated traffic to your OpenBSD
box, from the sound of it. I.e., you will only see the hacks the Netgear
would have stopped anyway.
> At any rate I want to enable that feature and send all traffic to the
> obsd machine. I want to see more of what is happening at the actual
> firewall. It has poor logging facilities. None in realtime. And the
> fastest is daily by mail unless you want to logon to the router and do
> the cumbersom scanning by eye with the sorry java based interface.
However, if I read this, you also want to see the traffic to/from
m[1-5,7].
> I don't really want to accept any traffic from the INTERNET via
> NETGEAR on the obsd box but want to be able to log specific stuff as
> it hits the pf.conf filter. I want to start analyzing what is coming
> at me more.
>
> I will need to be able to access the obsd box via ssh from one other local
> (priv) lan machine and it will need to be accessable to the private
> side of the NETGEAR.
>
> I'm not skilled enough with pf.conf to set this up just from the
> examples provided in the PF section of FAQ. And man pages, But I'm
> hoping to gain enough knowledge about using PF to eventually replace
> the NETGEAR with an old beater running obsd or maybe even a soekris
> box.
>
> I hoped someone might provide a rough outline of what something like
> this would need to look like.
That is possible, but some things to consider:
1. You are logging stuff which is blocked by any firewall, NAT
router, or even Windows-based software firewall a la ZoneAlarm. In other
words, stuff that couldn't ever harm you unless you are being very, very
clueless (and are running Windows). And, most likely, stuff that isn't
very interesting either.
2. Unless you go with a full honeypot setup (see
www.honeynet.com or Google), you are not likely to see more than a SYN
packet being dropped by pf.
3. There is some stuff that *can* harm you - notably, hacks in
response to connections initiated by the machines behind your firewall.
The most common form would be yet another problem in a web browser. Your
proposed setup would not catch this.
4. Unless you are willing to spend *a lot* of time on the
honeypot, reading a good security list (Bugtraq, Full-Disclosure,
whatever) will tell you more about where the problems are than reading
pf logs.
If you *really* want to know what attacks are out there, the following
setup would make more sense:
INTERNET
|
OpenBSD w/ snort
|
Netgear (optional; OpenBSD could filter, too)
|
- clients -
Of course, one should keep in mind that Snort has its limitations, and
should be kept up to date. It has three uses:
1. If a new vulnerability is found, and no patch is available,
and a Snort signature *is* available, Snort could tell you what machines
to disconnect.
2. If Snort catches a return packet that looks like a
compromised machine (for instance, a reverse shell), Snort could, again,
tell you what machines to disconnect.
3. If Snort is installed in IPS mode (ISTR this being only
possible on Linux, with some people working on a pf (*BSD) version but
not yet having production-quality code); it's called Snort-inline), it
could conceivably block attacks on unpatched machines.
That means that, for instance, the recent WMF vulnerability would have
been neatly blocked by this setup (or not - I recall quite a bit of
doubt about many signatures, as quite a few were by-passable). However,
almost all vulnerabilities in the *nix world are disclosed together with
the patch to fix them, and patching is typically faster than getting
Snort to recognize them.
Not to mention the fact that there exist many, many ways to confuse
('evade') Snort (not that it's impossible to block some/most of them,
but new ones are always springing up and it's not exactly easy), and
that Snort itself has the occasional vulnerability, too.
And as to reading what attacks your firewall has stopped today - it will
be neat for a day or two, but you'll discover there are more useful
things to be doing quickly enough.
Not to mention that logging everything adds up after a while, in regards
to disk space.
All in all, reading the logs daily (which tell you what happened to the
stuff that actually got through the firewall) is much more useful. And
if you really want more, install Snort. Telling you what packets have
been blocked by the firewall is only good for gathering statistics to
impress management into letting you buy more toys. Which is a worthy
goal, but not a misc@ subject...
Joachim
