[buug] Convert Linux Gateway to OpenBSD
chowse at charter.net
Thu Oct 24 13:31:29 PDT 2002
> > Have also worn out the book "FreeBSD Unleashed".
> haven't heard of it. any good for a newbie?
I liked it...
http://www.amazon.com - "FreeBSD Unleased"
> > Remember, I said I'm running PortSentry, LogSentry, Logwatch, etc.
> portsentry is useless. a little worse than useless, actually.
> what's the point of having a piece of software detect
> portscans on a machine that's doing nat?
Well, because my web server and mail server live at that address.
Remember, the routable address is the address of the external interface
on the Linux machine.
If they hack that address, they can root the box.
Am I missing your point?
> > Where can I look at a real good pf.conf file?
> dig up a howto off of google. i'd actually suggest reading
> the IPFilter howto to get an idea of how the rules are set
> up. pf has a bit simpler syntax, and seems to run somewhat
> faster. the man pages for pf.conf are fairly decent in
> documenting basic examples.
I thought man pf.conf had a good example. I may try that.
Could you please confirm that in the nat rules AND in the pf rules, I
can refer to the interface (ep1) rather than the actual dynamic IP
address of the external interface? It will ruin everything if I have to
refer to an IP address that is going to change every 4 hours or so. ;-)
> but, when you're building a machine intended for one purpose,
> why make it a generalist? that breaks Best Practice. if
Because it's the only machine I have available! ;-)
I'd rather keep Larry to experiment with.
> you're forced to make it a general system, you have it
> stripped down to bare minimum, then start including
> everything you think you may need.
> from your emails, you need:
> everything else is just icing.
Well, I would agree...so...I should upgrade to stable, apply the
patches, then remove the compiler, then put it on the network? How do I
apply future patches? (I admit I havn't done my homework here.)
More information about the buug