On Sat, Feb 25, 2006 at 10:16:58AM -0600, Harry Putnam wrote:
> Joachim Schipper <[EMAIL PROTECTED]> writes:
>
> >> There is a facility on the NETGEAR to send all traffic to an inside
> >> machine for whatever reason. Its called a DMZ Server although I don't
> >> think that is the normal usage of DMZ, but not experienced enough to
> >> know for sure.
> >
> > That would probably send all outside-initiated traffic to your OpenBSD
> > box, from the sound of it. I.e., you will only see the hacks the Netgear
> > would have stopped anyway.
>
> Yeah, that what I'm after. As you say further along that will get
> boring quickly but right now I'm interested to see what is happening
> at my ssh port. I received 13,000 hits on it over a 5 day period
> after leaving it open (but with good password) inadvertantly.
Oh, SSH scans are all over the net. Setup private keys for login, and
only private keys. Add S/KEY capability, if you want to be able to login
without carrying a floppy around.
SSH is open on all my machines, and - except for one - accepts only
private keys (the last one also accepts S/KEY, and functions as a login
station for when I'm on the road).
> >> At any rate I want to enable that feature and send all traffic to the
> >> obsd machine. I want to see more of what is happening at the actual
> >> firewall. It has poor logging facilities. None in realtime. And the
> >> fastest is daily by mail unless you want to logon to the router and do
> >> the cumbersom scanning by eye with the sorry java based interface.
> >
> > However, if I read this, you also want to see the traffic to/from
> > m[1-5,7].
>
> No, I mean yes, but not with current subject of setting up obsd in
> the way I've been asking about.
>
> [...]
>
> >> I hoped someone might provide a rough outline of what something like
> >> this would need to look like.
>
> [...]
>
> > 3. There is some stuff that *can* harm you - notably, hacks in
> > response to connections initiated by the machines behind your firewall.
> > The most common form would be yet another problem in a web browser. Your
> > proposed setup would not catch this.
> > 4. Unless you are willing to spend *a lot* of time on the
> > honeypot, reading a good security list (Bugtraq, Full-Disclosure,
> > whatever) will tell you more about where the problems are than reading
> > pf logs.
>
> Yes, as you've noted very time consuming and probably a bit over my
> head as well.
>
> > All in all, reading the logs daily (which tell you what happened to
> > the stuff that actually got through the firewall) is much more
> > useful. And if you really want more, install Snort. Telling you what
> > packets have been blocked by the firewall is only good for gathering
> > statistics to impress management into letting you buy more
> > toys. Which is a worthy goal, but not a misc@ subject...
>
> Well as you've noted, the firewall is turning back the real harmfull
> stuff, unless I get really stupid inside. (not unheard of here).
>
> And being able to read and understand what I'm seeing about traffic
> coming thru is at present largely over my thick skull.
>
> The windows machines inside, like my wifes and 2 that are heavy gauge
> video edit crunchers, are likely to be the destinations of the kind of
> stuff you mentioned, but my main desktop is a gentoo linux box running
> IPtables so I do get to see that traffic.
>
> I'm hoping to gain enough from the setup I've asked about so that
> skull factor gets trimmed down a bit. And eventually setup the OBSD
> box as you and others have suggested. Between Internet and inside net.
Well, doing what you want to do isn't too useful, but quite possible.
Make the OBSD machine the so-called DMZ server on the Netgear. Use a
pf.conf like the following:
set skip on { lo0 }
# This is the default, but set it explicitly - there's no reason to
# return anything
set block-policy drop
block in log
pass out keep state
Then run pflogd(8). You can now analyze the traffic from /var/log/pflog,
using tcpdump(8).
For added points, install Snort. It will not catch much, seeing as to
how outsiders will not be able to establish many connections, but it's a
good exercise if you want to go with the setup I proposed earlier, when
you are more confident.
Joachim
