Re: pf.conf to log specific but block all
On Sat, Feb 25, 2006 at 10:16:58AM -0600, Harry Putnam wrote:
Joachim Schipper [EMAIL PROTECTED] writes:
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
That would probably send all outside-initiated traffic to your OpenBSD
box, from the sound of it. I.e., you will only see the hacks the Netgear
would have stopped anyway.
Yeah, that what I'm after. As you say further along that will get
boring quickly but right now I'm interested to see what is happening
at my ssh port. I received 13,000 hits on it over a 5 day period
after leaving it open (but with good password) inadvertantly.
Oh, SSH scans are all over the net. Setup private keys for login, and
only private keys. Add S/KEY capability, if you want to be able to login
without carrying a floppy around.
SSH is open on all my machines, and - except for one - accepts only
private keys (the last one also accepts S/KEY, and functions as a login
station for when I'm on the road).
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
However, if I read this, you also want to see the traffic to/from
m[1-5,7].
No, I mean yes, but not with current subject of setting up obsd in
the way I've been asking about.
[...]
I hoped someone might provide a rough outline of what something like
this would need to look like.
[...]
3. There is some stuff that *can* harm you - notably, hacks in
response to connections initiated by the machines behind your firewall.
The most common form would be yet another problem in a web browser. Your
proposed setup would not catch this.
4. Unless you are willing to spend *a lot* of time on the
honeypot, reading a good security list (Bugtraq, Full-Disclosure,
whatever) will tell you more about where the problems are than reading
pf logs.
Yes, as you've noted very time consuming and probably a bit over my
head as well.
All in all, reading the logs daily (which tell you what happened to
the stuff that actually got through the firewall) is much more
useful. And if you really want more, install Snort. Telling you what
packets have been blocked by the firewall is only good for gathering
statistics to impress management into letting you buy more
toys. Which is a worthy goal, but not a misc@ subject...
Well as you've noted, the firewall is turning back the real harmfull
stuff, unless I get really stupid inside. (not unheard of here).
And being able to read and understand what I'm seeing about traffic
coming thru is at present largely over my thick skull.
The windows machines inside, like my wifes and 2 that are heavy gauge
video edit crunchers, are likely to be the destinations of the kind of
stuff you mentioned, but my main desktop is a gentoo linux box running
IPtables so I do get to see that traffic.
I'm hoping to gain enough from the setup I've asked about so that
skull factor gets trimmed down a bit. And eventually setup the OBSD
box as you and others have suggested. Between Internet and inside net.
Well, doing what you want to do isn't too useful, but quite possible.
Make the OBSD machine the so-called DMZ server on the Netgear. Use a
pf.conf like the following:
set skip on { lo0 }
# This is the default, but set it explicitly - there's no reason to
# return anything
set block-policy drop
block in log
pass out keep state
Then run pflogd(8). You can now analyze the traffic from /var/log/pflog,
using tcpdump(8).
For added points, install Snort. It will not catch much, seeing as to
how outsiders will not be able to establish many connections, but it's a
good exercise if you want to go with the setup I proposed earlier, when
you are more confident.
Joachim
Re: pf.conf to log specific but block all
Harry Putnam wrote:
Melameth, Daniel D. [EMAIL PROTECTED] writes:
Thanks for the nifty summary. I want to pester you just a little more
then I'll get to work on this and see if I get really stuck
somewhere.
Sounds good ;-) .
# Address translation for machines on your LAN
nat on $ext_if from $int_if:network to any - ($ext_if)
This looks like its designed to allow my other boxes to be (NATed) to
from the open bsd box. But that won't be happening. That happens at
the netgear right now. I'm only wanting to aim the same network
traffic at the obsd box as hits the netgear. Not actually do anything
with it such as NATing. (only log or handle OBSD boxes own traffic
to/from internet)
All bets are off if you don't replace the Netgear with OpenBSD.
I haven't googled on the mirror thing you mentioned yet so maybe I'm
not understanding what will happen when I enable sending traffic to
obsd from Netgear box.
# Block and log all traffic
block log all
Well yeah, but this can get to be a very lot of data very soon. I'd
like to see just one general example of blocking all but logging only
say ssh or a few other specific things. In my tinkerings it appeared
that it matters a lot where the log flag appears in the syntax.
On a consumer-class Internet connection, I don't expect too much.
However, the following should only log ssh:
# Block all traffic and block and log ssh
block all
block in log on $ext_if inet proto tcp from any to $ext_if port ssh
# Allow internal machines to use the Internet
pass out on $ext_if proto { tcp, udp, icmp } all keep state
Again this won't be happening for the other machines but I kind of
figured something like this would be necessary for the OBSD box
itself.
You're on your own if you want to keep the Netgear as your bastion host
to the Internet. I understand you don't feel comfortable putting the
OpenBSD box there yet, but that's the only scenario I'll likely spend my
time providing assistance with.
This all reminded me I meant to ask one thing about networking this.
My net is currently all on 192.168.0/24. I'm wondering if this can
all be done still in that network. That is, set both nics on the obsd
box to that network. Where one side talks to the NETGEAR and the
other talks to the rest of the lan.
While you can do this, here's where I'll stop with my reply as anything
beyond this is somewhat different from the example ruleset in the PF
guide and might become confusing for you. However, if you really don't
want to use the OpenBSD machine as a bastion host, I recommend just
using one NIC, as the external NIC, and going from there--someone else
on the list is more than welcome to chime in further.
The first few rules in example1 from FAQ/PF. Appear to be able to be
applied to make that happen.
Some vars first:
$ext_if=rl0 (192.168.0.19)
$int_if=dc0 (192.168.0.18)
$priv_nets=192.168.0/24
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
So some kind of adjustment would have to happen here since the NETGEAR
inside IF talking to obsd outside IF would both be $priv_nets.
I'm thinking I could just use actual IPs:
(NETGEAR and OBSD)
sel_hosts = { 192.168.0.20, 192.168.0.19 }
nosel_hosts =
{ 192.168.0.4, 192.168.0.5 [...] }
(Keep everybody but NETGEAR and OBSD box [sel_hosts] out of $ext_if
traffic)
block drop in quick on $ext_if from $nosel_hosts to any
block drop out quick on $ext_if from any to $nosel_hosts
But I'm getting out of my league here already...
Re: pf.conf to log specific but block all
Melameth, Daniel D. [EMAIL PROTECTED] writes: There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. This might not work the way you are expecting it to. What you really want is a device that can mirror a switched port. I've done some googling now as you suggested and what I'm seeing is this mirroring facility is only available on high end switches/routers. Not ones in my price range of $2-300. Plus, I already have this NETGEAR so loath to spend another pile of cash. And I know from experimenting a year or so ago that enabling what they call DMZ functionality will show me the traffic I want to see on whatever machine I aim it at. And finally, the objective here is to learn enough PF usage to be confident I'm not opening my box for public perusal. So not willing to spend more on hardware. Except maybe a soekris box but then I'm back to needing to gain some confidence thru experience again.
Re: pf.conf to log specific but block all
Melameth, Daniel D. [EMAIL PROTECTED] writes: On a consumer-class Internet connection, I don't expect too much. However, the following should only log ssh: That is what got me going on this... By negligence I'd left ssh open after coming home from a trip where I had it open for connectiong to home machine. Normally I turn it back off when I'm home. I saw over a 5 day period some 13,000 hits on ssh port. Apparently some half configured dictionary attacks. I say half configured because the attemted user names don't seem to be in any recognizable order. My passwords are good so I didn't get too worried but it did cause me to wonder what is going on that my ssh port got so interesting suddenly. Of coures I turned it off, but that leaves me with the sorry logging facilities of the NETGEAR # Block all traffic and block and log ssh block all block in log on $ext_if inet proto tcp from any to $ext_if port ssh Thanks, thats the one I was stumbling around with. I read your comments about further help and want to thank you for the help already given. I think it may be all I needed to get this done. But I'll be back to pester people once I've gotten up my nerve and put the OBSD box up to the plate.
Re: pf.conf to log specific but block all
On Fri, Feb 24, 2006 at 08:58:11PM -0600, Harry Putnam wrote:
I want to use pf.conf in what may be an unusual place.
Not the usual sheild between private net and internet.
It would be more as a logging service but will need some config to
allow two private net machines to access it.
A network picture:
INTERNET
|
DSLmodem
|
NETGEAR FW/router
---
| | | | | | |
m1 m2 m3m4 m5m6 m7
m6 is an obsd-3.8 machine now running current
The ports on the Netgear are switched ports so not like a simple
hub.
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
That would probably send all outside-initiated traffic to your OpenBSD
box, from the sound of it. I.e., you will only see the hacks the Netgear
would have stopped anyway.
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
However, if I read this, you also want to see the traffic to/from
m[1-5,7].
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff as
it hits the pf.conf filter. I want to start analyzing what is coming
at me more.
I will need to be able to access the obsd box via ssh from one other local
(priv) lan machine and it will need to be accessable to the private
side of the NETGEAR.
I'm not skilled enough with pf.conf to set this up just from the
examples provided in the PF section of FAQ. And man pages, But I'm
hoping to gain enough knowledge about using PF to eventually replace
the NETGEAR with an old beater running obsd or maybe even a soekris
box.
I hoped someone might provide a rough outline of what something like
this would need to look like.
That is possible, but some things to consider:
1. You are logging stuff which is blocked by any firewall, NAT
router, or even Windows-based software firewall a la ZoneAlarm. In other
words, stuff that couldn't ever harm you unless you are being very, very
clueless (and are running Windows). And, most likely, stuff that isn't
very interesting either.
2. Unless you go with a full honeypot setup (see
www.honeynet.com or Google), you are not likely to see more than a SYN
packet being dropped by pf.
3. There is some stuff that *can* harm you - notably, hacks in
response to connections initiated by the machines behind your firewall.
The most common form would be yet another problem in a web browser. Your
proposed setup would not catch this.
4. Unless you are willing to spend *a lot* of time on the
honeypot, reading a good security list (Bugtraq, Full-Disclosure,
whatever) will tell you more about where the problems are than reading
pf logs.
If you *really* want to know what attacks are out there, the following
setup would make more sense:
INTERNET
|
OpenBSD w/ snort
|
Netgear (optional; OpenBSD could filter, too)
|
- clients -
Of course, one should keep in mind that Snort has its limitations, and
should be kept up to date. It has three uses:
1. If a new vulnerability is found, and no patch is available,
and a Snort signature *is* available, Snort could tell you what machines
to disconnect.
2. If Snort catches a return packet that looks like a
compromised machine (for instance, a reverse shell), Snort could, again,
tell you what machines to disconnect.
3. If Snort is installed in IPS mode (ISTR this being only
possible on Linux, with some people working on a pf (*BSD) version but
not yet having production-quality code); it's called Snort-inline), it
could conceivably block attacks on unpatched machines.
That means that, for instance, the recent WMF vulnerability would have
been neatly blocked by this setup (or not - I recall quite a bit of
doubt about many signatures, as quite a few were by-passable). However,
almost all vulnerabilities in the *nix world are disclosed together with
the patch to fix them, and patching is typically faster than getting
Snort to recognize them.
Not to mention the fact that there exist many, many ways to confuse
('evade') Snort (not that it's impossible to block some/most of them,
but new ones are always springing up and it's not exactly easy), and
Re: pf.conf to log specific but block all
Joachim Schipper [EMAIL PROTECTED] writes: There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. That would probably send all outside-initiated traffic to your OpenBSD box, from the sound of it. I.e., you will only see the hacks the Netgear would have stopped anyway. Yeah, that what I'm after. As you say further along that will get boring quickly but right now I'm interested to see what is happening at my ssh port. I received 13,000 hits on it over a 5 day period after leaving it open (but with good password) inadvertantly. At any rate I want to enable that feature and send all traffic to the obsd machine. I want to see more of what is happening at the actual firewall. It has poor logging facilities. None in realtime. And the fastest is daily by mail unless you want to logon to the router and do the cumbersom scanning by eye with the sorry java based interface. However, if I read this, you also want to see the traffic to/from m[1-5,7]. No, I mean yes, but not with current subject of setting up obsd in the way I've been asking about. [...] I hoped someone might provide a rough outline of what something like this would need to look like. [...] 3. There is some stuff that *can* harm you - notably, hacks in response to connections initiated by the machines behind your firewall. The most common form would be yet another problem in a web browser. Your proposed setup would not catch this. 4. Unless you are willing to spend *a lot* of time on the honeypot, reading a good security list (Bugtraq, Full-Disclosure, whatever) will tell you more about where the problems are than reading pf logs. Yes, as you've noted very time consuming and probably a bit over my head as well. All in all, reading the logs daily (which tell you what happened to the stuff that actually got through the firewall) is much more useful. And if you really want more, install Snort. Telling you what packets have been blocked by the firewall is only good for gathering statistics to impress management into letting you buy more toys. Which is a worthy goal, but not a misc@ subject... Well as you've noted, the firewall is turning back the real harmfull stuff, unless I get really stupid inside. (not unheard of here). And being able to read and understand what I'm seeing about traffic coming thru is at present largely over my thick skull. The windows machines inside, like my wifes and 2 that are heavy gauge video edit crunchers, are likely to be the destinations of the kind of stuff you mentioned, but my main desktop is a gentoo linux box running IPtables so I do get to see that traffic. I'm hoping to gain enough from the setup I've asked about so that skull factor gets trimmed down a bit. And eventually setup the OBSD box as you and others have suggested. Between Internet and inside net.
Re: pf.conf to log specific but block all
On 2/25/06, Harry Putnam [EMAIL PROTECTED] wrote: Melameth, Daniel D. [EMAIL PROTECTED] writes: On a consumer-class Internet connection, I don't expect too much. However, the following should only log ssh: That is what got me going on this... By negligence I'd left ssh open after coming home from a trip where I had it open for connectiong to home machine. Normally I turn it back off when I'm home. I saw over a 5 day period some 13,000 hits on ssh port. Apparently some half configured dictionary attacks. I say half configured because the attemted user names don't seem to be in any recognizable order. My passwords are good so I didn't get too worried but it did cause me to wonder what is going on that my ssh port got so interesting suddenly. you worry too much. either choose good passwords, or better, setup login with ssh-keys only. its worth reading and googling for maybe an hour or two, if you're not familiar with it. if this is in place, you don't have to worry, and you also don't have to log connections to your ssh port. --knitti
pf.conf to log specific but block all
I want to use pf.conf in what may be an unusual place. Not the usual sheild between private net and internet. It would be more as a logging service but will need some config to allow two private net machines to access it. A network picture: INTERNET | DSLmodem | NETGEAR FW/router --- | | | | | | | m1 m2 m3m4 m5m6 m7 m6 is an obsd-3.8 machine now running current The ports on the Netgear are switched ports so not like a simple hub. There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. At any rate I want to enable that feature and send all traffic to the obsd machine. I want to see more of what is happening at the actual firewall. It has poor logging facilities. None in realtime. And the fastest is daily by mail unless you want to logon to the router and do the cumbersom scanning by eye with the sorry java based interface. I don't really want to accept any traffic from the INTERNET via NETGEAR on the obsd box but want to be able to log specific stuff as it hits the pf.conf filter. I want to start analyzing what is coming at me more. I will need to be able to access the obsd box via ssh from one other local (priv) lan machine and it will need to be accessable to the private side of the NETGEAR. I'm not skilled enough with pf.conf to set this up just from the examples provided in the PF section of FAQ. And man pages, But I'm hoping to gain enough knowledge about using PF to eventually replace the NETGEAR with an old beater running obsd or maybe even a soekris box. I hoped someone might provide a rough outline of what something like this would need to look like. How much of the boiler plate in the PF examples would apply, etc. Maybe including what things would have to be allowed for the obsd box to be a normal resident of the lan in terms of dns arp ssh access and so on. And how to block all in bound internet traffic but be able to log specific stuff. An example might be that I received 13000 hits over a 5 day period on an ssh port I'd left open at the firewall. It appears to be several dictionary attacks, carried out by some 15 unique IPs. that seemed pretty excessive and made me wonder what brought it on. And at least its in my syslog logs so I can work on it with all the normal unix tools. But I'm not really sure what goes on at the firewall since I've never really got too involved with working with the dos files it sends beyond scanning manually from time to time. They have lots of goofy tabs and dashes making script based scanning somewhat hazardous for a poorly skilled scripter. I've closed the ssh port of course but now I'm restricted to the poor logging of the NETGEAR. I'm not asking for actual rules but an outline of method and hints about rules.
Re: pf.conf to log specific but block all
Harry Putnam wrote: I want to use pf.conf in what may be an unusual place. Not the usual sheild between private net and internet. It would be more as a logging service but will need some config to allow two private net machines to access it. A network picture: INTERNET | DSLmodem | NETGEAR FW/router --- | | | | | | | m1 m2 m3m4 m5m6 m7 m6 is an obsd-3.8 machine now running current The ports on the Netgear are switched ports so not like a simple hub. There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. This might not work the way you are expecting it to. What you really want is a device that can mirror a switched port. At any rate I want to enable that feature and send all traffic to the obsd machine. I want to see more of what is happening at the actual firewall. It has poor logging facilities. None in realtime. And the fastest is daily by mail unless you want to logon to the router and do the cumbersom scanning by eye with the sorry java based interface. I don't really want to accept any traffic from the INTERNET via NETGEAR on the obsd box but want to be able to log specific stuff as it hits the pf.conf filter. I want to start analyzing what is coming at me more. I know this doesn't answer your question, but, IMHO, I suggest replacing that consumer class Netgear device with your OpenBSD box and be done with this whole mess--then you can do everything you laid out here with minimal complexity and far more flexibility.
Re: pf.conf to log specific but block all
Melameth, Daniel D. [EMAIL PROTECTED] writes: There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. This might not work the way you are expecting it to. What you really want is a device that can mirror a switched port. Can you enlarge on this a bit... at least a good guess for google stings. At any rate I want to enable that feature and send all traffic to the obsd machine. I want to see more of what is happening at the actual firewall. It has poor logging facilities. None in realtime. And the fastest is daily by mail unless you want to logon to the router and do the cumbersom scanning by eye with the sorry java based interface. I don't really want to accept any traffic from the INTERNET via NETGEAR on the obsd box but want to be able to log specific stuff as it hits the pf.conf filter. I want to start analyzing what is coming at me more. I know this doesn't answer your question, but, IMHO, I suggest replacing that consumer class Netgear device with your OpenBSD box and be done with this whole mess--then you can do everything you laid out here with minimal complexity and far more flexibility. I'd be comfortable with that if I knew a little more about pf usage. I'm not experienced with it enough to be sure I'm not leaving some nasty unexpected hole. Or some other novice error that could have more repercussions than I want or know how to deal with. If taking the chicken way will allow me to learn more about pf and enough to not do some stupid novice error that gets me hacked. I think I'd prefer it. Is blocking all and logging specific traffice really hard to accomplish?
Re: pf.conf to log specific but block all
Dan and Harry, Agreed. A consumer-class Netgear device will not be the best choice, as it's got an underpowered CPU and has more than enough issues with its configuration. While many SOHO routers can output to syslog, unless you spend the money for a higher-end product like a Juniper Netscreen, or retrofit a Linksys access point with a third-party Linux distribution, you're not going to get much in the ways of customization. However, using pf, snort, and outputting pf and snort to syslog will give you a clearer picture of what's going on. The tools are more straightforward and better-documented (IMHO) than their Linux-based counterparts. If you want to see everything real-time, you can use a tool like Kiwi Syslog Daemon or syslog-ng to collect the log messages from Snort (which is real-time) and pf (which isn't real time in my config - once every 5 minutes). The logs are also very straightforward to read when you use this method. Plus, pf is a lot more flexible than commercial products, and can run on a $50 PII with a couple of eBay special Realtek 8139 NICs comfortably. More importantly, you'll learn a lot more about what's going on with your network, and not only what's coming onto it, but what is also leaving it. Mitch -Original Message- From: [EMAIL PROTECTED] on behalf of Melameth, Daniel D. Sent: Fri 2/24/2006 10:12 PM To: misc@openbsd.org Subject: Re: pf.conf to log specific but block all Harry Putnam wrote: I want to use pf.conf in what may be an unusual place. Not the usual sheild between private net and internet. It would be more as a logging service but will need some config to allow two private net machines to access it. A network picture: INTERNET | DSLmodem | NETGEAR FW/router --- | | | | | | | m1 m2 m3m4 m5m6 m7 m6 is an obsd-3.8 machine now running current The ports on the Netgear are switched ports so not like a simple hub. There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. This might not work the way you are expecting it to. What you really want is a device that can mirror a switched port. At any rate I want to enable that feature and send all traffic to the obsd machine. I want to see more of what is happening at the actual firewall. It has poor logging facilities. None in realtime. And the fastest is daily by mail unless you want to logon to the router and do the cumbersom scanning by eye with the sorry java based interface. I don't really want to accept any traffic from the INTERNET via NETGEAR on the obsd box but want to be able to log specific stuff as it hits the pf.conf filter. I want to start analyzing what is coming at me more. I know this doesn't answer your question, but, IMHO, I suggest replacing that consumer class Netgear device with your OpenBSD box and be done with this whole mess--then you can do everything you laid out here with minimal complexity and far more flexibility.
Re: pf.conf to log specific but block all
Harry Putnam wrote:
Melameth, Daniel D. [EMAIL PROTECTED] writes:
There is a facility on the NETGEAR to send all traffic to an
inside machine for whatever reason. Its called a DMZ Server
although I don't think that is the normal usage of DMZ, but not
experienced enough to know for sure.
This might not work the way you are expecting it to. What you
really want is a device that can mirror a switched port.
Can you enlarge on this a bit... at least a good guess for google
stings.
Google for port mirroring or spanned port.
At any rate I want to enable that feature and send all traffic to
the obsd machine. I want to see more of what is happening at the
actual firewall. It has poor logging facilities. None in
realtime. And the fastest is daily by mail unless you want to
logon to the router and do the cumbersom scanning by eye with the
sorry java based interface.
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff
as it hits the pf.conf filter. I want to start analyzing what is
coming at me more.
I know this doesn't answer your question, but, IMHO, I suggest
replacing that consumer class Netgear device with your OpenBSD box
and be done with this whole mess--then you can do everything you
laid out here with minimal complexity and far more flexibility.
I'd be comfortable with that if I knew a little more about pf usage.
I'm not experienced with it enough to be sure I'm not leaving some
nasty unexpected hole. Or some other novice error that could have
more repercussions than I want or know how to deal with.
If taking the chicken way will allow me to learn more about pf and
enough to not do some stupid novice error that gets me hacked. I
think I'd prefer it.
Is blocking all and logging specific traffice really hard to
accomplish?
Outside of the nice PF guide on the OpenBSD site, for the most part, all
you really need to begin with is three rules:
# Address translation for machines on your LAN
nat on $ext_if from $int_if:network to any - ($ext_if)
# Block and log all traffic
block log all
# Allow internal machines to use the Internet
pass out on $ext_if proto { tcp, udp, icmp } all keep state
This will block all incoming traffic with the exception of traffic
replying to the requests of your workstations--which is likely what your
Netgear is doing now. If you want to see all the traffic that pf is
blocking in real time, just issue a simple 'tcpdump -i pflog0' and have
fun.
Granted, pf doesn't have a point and click web interface, but if you
wanted that you probably wouldn't be using OpenBSD to begin with. Then
again, it appears someone's taken pf (and FreeBSD) and put a pretty face
on it at http://www.pfsense.com.
Re: pf.conf to log specific but block all
Melameth, Daniel D. [EMAIL PROTECTED] writes:
Thanks for the nifty summary. I want to pester you just a little more
then I'll get to work on this and see if I get really stuck
somewhere.
# Address translation for machines on your LAN
nat on $ext_if from $int_if:network to any - ($ext_if)
This looks like its designed to allow my other boxes to be (NATed) to
from the open bsd box. But that won't be happening. That happens at
the netgear right now. I'm only wanting to aim the same network
traffic at the obsd box as hits the netgear. Not actually do anything
with it such as NATing. (only log or handle OBSD boxes own traffic
to/from internet)
I haven't googled on the mirror thing you mentioned yet so maybe I'm
not understanding what will happen when I enable sending traffic to
obsd from Netgear box.
# Block and log all traffic
block log all
Well yeah, but this can get to be a very lot of data very soon. I'd like
to see just one general example of blocking all but logging only say
ssh or a few other specific things. In my tinkerings it appeared that
it matters a lot where the log flag appears in the syntax.
# Allow internal machines to use the Internet
pass out on $ext_if proto { tcp, udp, icmp } all keep state
Again this won't be happening for the other machines but I kind of
figured something like this would be necessary for the OBSD box
itself.
This all reminded me I meant to ask one thing about networking this.
My net is currently all on 192.168.0/24. I'm wondering if this can
all be done still in that network. That is, set both nics on the obsd
box to that network. Where one side talks to the NETGEAR and the
other talks to the rest of the lan.
The first few rules in example1 from FAQ/PF. Appear to be able to be
applied to make that happen.
Some vars first:
$ext_if=rl0 (192.168.0.19)
$int_if=dc0 (192.168.0.18)
$priv_nets=192.168.0/24
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
So some kind of adjustment would have to happen here since the NETGEAR
inside IF talking to obsd outside IF would both be $priv_nets.
I'm thinking I could just use actual IPs:
(NETGEAR and OBSD)
sel_hosts = { 192.168.0.20, 192.168.0.19 }
nosel_hosts =
{ 192.168.0.4, 192.168.0.5 [...] }
(Keep everybody but NETGEAR and OBSD box [sel_hosts] out of $ext_if
traffic)
block drop in quick on $ext_if from $nosel_hosts to any
block drop out quick on $ext_if from any to $nosel_hosts
But I'm getting out of my league here already...
