Joachim Schipper <[EMAIL PROTECTED]> writes: >> There is a facility on the NETGEAR to send all traffic to an inside >> machine for whatever reason. Its called a DMZ Server although I don't >> think that is the normal usage of DMZ, but not experienced enough to >> know for sure. > > That would probably send all outside-initiated traffic to your OpenBSD > box, from the sound of it. I.e., you will only see the hacks the Netgear > would have stopped anyway.
Yeah, that what I'm after. As you say further along that will get boring quickly but right now I'm interested to see what is happening at my ssh port. I received 13,000 hits on it over a 5 day period after leaving it open (but with good password) inadvertantly. >> At any rate I want to enable that feature and send all traffic to the >> obsd machine. I want to see more of what is happening at the actual >> firewall. It has poor logging facilities. None in realtime. And the >> fastest is daily by mail unless you want to logon to the router and do >> the cumbersom scanning by eye with the sorry java based interface. > > However, if I read this, you also want to see the traffic to/from > m[1-5,7]. No, I mean yes, but not with current subject of setting up obsd in the way I've been asking about. [...] >> I hoped someone might provide a rough outline of what something like >> this would need to look like. [...] > 3. There is some stuff that *can* harm you - notably, hacks in > response to connections initiated by the machines behind your firewall. > The most common form would be yet another problem in a web browser. Your > proposed setup would not catch this. > 4. Unless you are willing to spend *a lot* of time on the > honeypot, reading a good security list (Bugtraq, Full-Disclosure, > whatever) will tell you more about where the problems are than reading > pf logs. Yes, as you've noted very time consuming and probably a bit over my head as well. > All in all, reading the logs daily (which tell you what happened to > the stuff that actually got through the firewall) is much more > useful. And if you really want more, install Snort. Telling you what > packets have been blocked by the firewall is only good for gathering > statistics to impress management into letting you buy more > toys. Which is a worthy goal, but not a misc@ subject... Well as you've noted, the firewall is turning back the real harmfull stuff, unless I get really stupid inside. (not unheard of here). And being able to read and understand what I'm seeing about traffic coming thru is at present largely over my thick skull. The windows machines inside, like my wifes and 2 that are heavy gauge video edit crunchers, are likely to be the destinations of the kind of stuff you mentioned, but my main desktop is a gentoo linux box running IPtables so I do get to see that traffic. I'm hoping to gain enough from the setup I've asked about so that skull factor gets trimmed down a bit. And eventually setup the OBSD box as you and others have suggested. Between Internet and inside net.
