From owner-freebsd-isp@FreeBSD.ORG Fri Feb 18 23:54:04 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8953016A4CE for ; Fri, 18 Feb 2005 23:54:04 +0000 (GMT) Received: from relay.rdsnet.ro (gimli.rdsnet.ro [193.231.236.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 5650543D5C for ; Fri, 18 Feb 2005 23:54:03 +0000 (GMT) (envelope-from itetcu@people.tecnik93.com) Received: (qmail 6448 invoked from network); 18 Feb 2005 23:49:08 -0000 Received: from unknown (HELO smtp.rdsnet.ro) (62.231.74.130) by smtp1-133.rdsnet.ro with SMTP; 18 Feb 2005 23:49:08 -0000 Received: (qmail 30509 invoked by uid 89); 18 Feb 2005 23:58:18 -0000 Received: from unknown (HELO it.buh.tecnik93.com) (81.196.204.98) by 0 with SMTP; 18 Feb 2005 23:58:18 -0000 Received: from it.buh.tecnik93.com (localhost.buh.tecnik93.com [127.0.0.1]) by it.buh.tecnik93.com (Postfix) with ESMTP id E33AB1140D; Sat, 19 Feb 2005 01:53:56 +0200 (EET) Date: Sat, 19 Feb 2005 01:53:56 +0200 From: Ion-Mihai Tetcu To: vaida bogdan Message-ID: <20050219015356.53076ae6@it.buh.tecnik93.com> In-Reply-To: <12848a3b05021808196fa92aea@mail.gmail.com> References: <12848a3b05021808196fa92aea@mail.gmail.com> X-Mailer: Sylpheed-Claws 1.0.1 (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org Subject: Re: clamav and snat X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 23:54:04 -0000 On Fri, 18 Feb 2005 18:19:39 +0200 vaida bogdan wrote: > Hy, I use postfix+mailscanner on my mail server to block a lot of > virii comming from my internal network. I would like to implement a > solution to block virii traffic on the internal gateway. The network > looks like this: > > WIN- > WIN- ----GW1----- -----MAIL SERVER----- -----GW2---- > WIN- > > GW1 does snat: > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > SNAT all -- intip/24 anywhere to:extip > > One (or more) WIN is infected but I don't know which of the 30 > computers on the network. I receive virused attachments on the MAIL > SERVER from the GW1's ip. WIN are on the internal network. > > An ideea would be to extract mail traffic passing through GW1 in mbox > format and scan it with clamav (but it would still have the snatted > ext ip). I'm looking for better ideeas/implementations. Also, please > tell me which tool should I use to sniff mail on GW1 or if there is a > better solution. I'm not familiar with the snat you're using but couldn't you: redirect GW1_intip:25 to loopback:25 before NATing put a transparent smtp proxy to listen on loopback:25 and relay on MIALSERVER tail -f /path/to/proxy_log smtp proxy could be mail/dspampd or security//clamsmtp -- IOnut Unregistered ;) FreeBSD "user"