Hi Tom, so far, anything with shorewall is running really great. I love your piece of work a lot. Short question now: would it be possible to redirect any smtp traffic to a virusscanner (just like we do it with http requests to squid)? Like this, I could filter any malicious outgoing mail traffic. Thx a lot Andy
NDEE wrote:> Hi Tom, > so far, anything with shorewall is running really great. I love your > piece of work a lot.Thanks.> > Short question now: would it be possible to redirect any smtp traffic to > a virusscanner (just like we do it with http requests to squid)? >Sure.> Like this, I could filter any malicious outgoing mail traffic.So why is outgoing traffic a concern? Don''t hosts behind your firewall send their outgoing mail through an MTA? Why not just configure a virus scanner on that MTA? -tOM -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 22 Apr 2004 at 12:14, Tom Eastep wrote:> > Like this, I could filter any malicious outgoing mail traffic. > > So why is outgoing traffic a concern? Don''t hosts behind yourfirewall> send their outgoing mail through an MTA? Why not just configure a > virus scanner on that MTA? > > -tOM > -- > Tom EastepTom, I suspect he is talking about Egress filtering incase a worm with a built in smtp engine starts broadcasting. He would (as You hint) be better off to have sendmail/postfix for all local outbound mail and block port 25 loc2net. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
Hi John, In a perfect world I would agree. Sending through MTA would be perfect and blocking all other SMTP traffic what one should do. Just :-) we are not living in a perfect world. 3 month ago I had a customer with a HR worker doing long hours all the time without complaining if he could just manage his soccer clubs website and internet stuff. As a result he was allowed to do Frontpage, POP3 and SMTP through the firewall directly. So, some ingress check for those connections might be useful. As said, this is not good and should not be allowed by internal policies but well <sigh> Axel Westerhold -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of John S. Andersen Sent: Donnerstag, 22. April 2004 22:02 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Virusfilter with shorewall On 22 Apr 2004 at 12:14, Tom Eastep wrote:> > Like this, I could filter any malicious outgoing mail traffic. > > So why is outgoing traffic a concern? Don''t hosts behind yourfirewall> send their outgoing mail through an MTA? Why not just configure a > virus scanner on that MTA? > > -tOM > -- > Tom EastepTom, I suspect he is talking about Egress filtering incase a worm with a built in smtp engine starts broadcasting. He would (as You hint) be better off to have sendmail/postfix for all local outbound mail and block port 25 loc2net. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/ _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On 22 Apr 2004 at 20:30, Axel@congos-tools.com wrote:> ust :-) we are not living in a perfect world. 3 month ago I had a > customer with a HR worker doing long hours all the time without > complaining if he could just manage his soccer clubs website and > internet stuff. As a result he was allowed to do Frontpage, POP3and> SMTP through the firewall directly. So, some ingress check forthose> connections might be useful.Yes, I had the same problem, but Frontpage and Pop3 presented no problem, and generally don''t require filtering. It was only the SMTP outbound that would let the worms run wild. We finally just decided to put in this rule: DROP:info loc net tcp 25 which require all outbound smtp to go thru our local sendmail. On rare occasions, we need to send something via our ISPs MTA (mostly for appearances sake in the headers) we ssh to our account and forward port 2525 to the mail server port 25 and send it that way. Its really only the outbound stuff you have to worry about to keep machines on your net from becoming spambots and worm mongers. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
Well, as this is OT this will be my closing comment :-> Lucky you ! As the management decided this guy can do SMTP directly I had to violate 2 rules a.) an static IP for this client PC and b.) direct access from this PC over SMTP. I would prefer to check this traffic for viruses and Spam but without any transparent SMTP proxy checking for viruses and SPAM signatures I can''t do much at all. Axel -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of John S. Andersen Sent: Donnerstag, 22. April 2004 22:46 To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Virusfilter with shorewall On 22 Apr 2004 at 20:30, Axel@congos-tools.com wrote:> ust :-) we are not living in a perfect world. 3 month ago I had a > customer with a HR worker doing long hours all the time without > complaining if he could just manage his soccer clubs website and > internet stuff. As a result he was allowed to do Frontpage, POP3and> SMTP through the firewall directly. So, some ingress check forthose> connections might be useful.Yes, I had the same problem, but Frontpage and Pop3 presented no problem, and generally don''t require filtering. It was only the SMTP outbound that would let the worms run wild. We finally just decided to put in this rule: DROP:info loc net tcp 25 which require all outbound smtp to go thru our local sendmail. On rare occasions, we need to send something via our ISPs MTA (mostly for appearances sake in the headers) we ssh to our account and forward port 2525 to the mail server port 25 and send it that way. Its really only the outbound stuff you have to worry about to keep machines on your net from becoming spambots and worm mongers. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/ _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Axel@congos-tools.com wrote:> Well, as this is OT this will be my closing comment :-> > > Lucky you ! As the management decided this guy can do SMTP directly I > had to violate 2 rules a.) an static IP for this client PC and b.) > direct access from this PC over SMTP. I would prefer to check this > traffic for viruses and Spam but without any transparent SMTP proxy > checking for viruses and SPAM signatures I can''t do much at all. >Well transparent proxying using Postfix/Sendmail as an SMTP proxy is certainly not difficult to set up. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Uhmmm, I haven''t even thought about Postfix. I will need to check the docs. Thanks, Axel -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Donnerstag, 22. April 2004 23:05 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Virusfilter with shorewall Axel@congos-tools.com wrote:> Well, as this is OT this will be my closing comment :-> > > Lucky you ! As the management decided this guy can do SMTP directly I > had to violate 2 rules a.) an static IP for this client PC and b.) > direct access from this PC over SMTP. I would prefer to check this > traffic for viruses and Spam but without any transparent SMTP proxy > checking for viruses and SPAM signatures I can''t do much at all. >Well transparent proxying using Postfix/Sendmail as an SMTP proxy is certainly not difficult to set up. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Axel@congos-tools.com wrote:> Uhmmm, > > I haven''t even thought about Postfix. I will need to check the docs. >Postfix interfaces nicely with a number of AV engines and is easy to configure. Because email is self-addressing, it is easy to redirect and proxy. REDIRECT loc 25 tcp 25 Note that you must use an MTA for the proxy -- most AV engines are too light-weight to act as MTAs on their own. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Axel@congos-tools.com wrote: > >> Uhmmm, >> >> I haven''t even thought about Postfix. I will need to check the docs. >> > > Postfix interfaces nicely with a number of AV engines and is easy to > configure. Because email is self-addressing, it is easy to redirect and > proxy.However as Alex pointed out in a private post, things like POP before SMTP, TLS and SMTP Auth clearly break if you insert a proxy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net