Hello everyone. I've been gone way to long, but im slowly trying to crawl back here. Been extremely busy of late.

Well, I havent been able to really play with my OpenBSD Firewall box of late. As the days have rolled by, i've thought of many questions to stuff i'm interested in learning.

Lets start with locking down the firewall:
My firewall is up and running like a champ. The computers on my network are all working great. No problems at this time.

However, I would like to take additional steps to further lock down my box so I can tighten up the security. Anyone have some general recommendations for getting started? I'd like to install snort, but snort is a entity in itself.

Second question is, monitoring my firewall.
At this time, none of my rules are currently set to 'log.' I do plan to change that so I can learn how to read firewall logs as well as learn tcpdump.

I'd like to learn each log and what they do.

So what steps should I take to start monitoring my firewall? I just need something to get me started. Im sure once I find one thing, there will be many more.

THanks guys. Looking forward to suggestions!!

Tarballed

Well set your rules to log, you probably don't want to log all of them, there's a few things you can do with pfctl but mostly you'll want to start monitoring traffic with tcpdump. Check out the script I wrote which makes monitoring via tcpdump as easy as 1, 2, 3, 4, 5

http://screamingelectron.org/phpBB2/viewtopic.php?t=83


After that you'll definately want to get snort installed. We can help you out with that for sure, snort sounds like a beast but is really easy breezy. Perhaps if you're lucky, I'll get off my ass and write up that snort how-to I've been meaning to write.

Now that I think about it, I think I will move this to the OpenBSD security section, since it does deal with security.

However, I would like to take additional steps to further lock down my box so I can tighten up the security. Anyone have some general recommendations for getting started? I'd like to install snort, but snort is a entity in itself.

snort falls into your category of "monitoring", not "locking down".

for locking down, start by reading securelevel(7) and chflags(1). also check your fs mount options like noexec, nosuid, nodevs, and so forth - mount(8) for more info. depending on the nature of the server in question, systrace(1) may be helpful (for just firewall, maybe not since there are limited users). security revolves around allowing only what needs to be done and denying everything else, so set your chflags, mount options and systrace rules in accordance with this. for multi-user machines this is trickier - login.conf(5) and chroots may help.
dont forget physical security. if you've friends who are geeky enough, they might want to place a hardware keylogger to steal your secrets.

once you've locked down your box, then monitoring comes into play to verify that no one is trying to unlock your work.