clamav and snat
Ion-Mihai Tetcu
itetcu at people.tecnik93.com
Fri Feb 18 15:54:04 PST 2005
On Fri, 18 Feb 2005 18:19:39 +0200
vaida bogdan <vaida.bogdan at gmail.com> wrote:
> Hy, I use postfix+mailscanner on my mail server to block a lot of
> virii comming from my internal network. I would like to implement a
> solution to block virii traffic on the internal gateway. The network
> looks like this:
>
> WIN-
> WIN- ----GW1----- -----MAIL SERVER----- -----GW2----
> WIN-
>
> GW1 does snat:
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- intip/24 anywhere to:extip
>
> One (or more) WIN is infected but I don't know which of the 30
> computers on the network. I receive virused attachments on the MAIL
> SERVER from the GW1's ip. WIN are on the internal network.
>
> An ideea would be to extract mail traffic passing through GW1 in mbox
> format and scan it with clamav (but it would still have the snatted
> ext ip). I'm looking for better ideeas/implementations. Also, please
> tell me which tool should I use to sniff mail on GW1 or if there is a
> better solution.
I'm not familiar with the snat you're using but couldn't you:
redirect GW1_intip:25 to loopback:25 before NATing
put a transparent smtp proxy to listen on loopback:25 and relay on MIALSERVER
tail -f /path/to/proxy_log
smtp proxy could be mail/dspampd or security//clamsmtp
--
IOnut
Unregistered ;) FreeBSD "user"
More information about the freebsd-isp
mailing list