[Snort-users] Help with Hogwash on OpenBSD

Matt Kettler mkettler at ...7367...
Wed Apr 30 13:27:05 EDT 2003

As I mentioned in another post earlier today, hogwash is not very well 
documented, and worse still, it's easy to have it "fail open".

Unless you're comfortable reading the source to figure out how it works, 
I'd avoid hogwash until the docs are significantly better and the 
development is further along.

There is some documentation at

but it isn't well organized and is incomplete.

To the defense of hogwash, it looks like it is currently under major 
re-vamp, which is another reason why you should be hesitant to use it at 
this time.

If nothing else DO NOT install hogwash until you understand WHY the 
following statements are true:

         1) if the OS is configured to route/forward packets between 
interfaces, hogwash will be completely ineffective.
         2) hogwash provides no protection to the machine it is running on, 
only those behind it (subject to it being effective at all, as per #1)
         3) hogwash acts as a bypass of your firewall rules for machines 
inside the network, and does not act as a compliment. Adding IPF rules will 
only protect the hogwash machine, not the internal network.

If you don't know exactly why those statements are true, then you're not 
going to understand hogwash well enough to configure it in a secure manner, 
and will likely result in a network which is completely un-firewalled.

I've looked at it only long enough to realize it would be difficult for me 
to configure it in a secure fashion without a separate firewall box being 
present in front of the hogwash box. I know enough to realize that I can't 
write good firewall rules for it.

At 12:59 PM 4/30/2003 -0600, JOE & ANGIE wrote:
>I'm back first time user on OpenBSD.  Want to install Hogwash in my OpenBSD
>box.  Is it worth it?  Is there any documentation I can get on how to
>install the latest version on hogwash.  Already have Snort 2.0.0 running in
>my OpenBSD box.  Do I need anything else to get hogwash to run.  Downloaded
>the latest version for hogwash and went to there website.  Could not find
>any documentation.

More information about the Snort-users mailing list