Hi Tom, I´m very glad using Shorewall I proud to say that use it in my whole network (215 Real IP´s over ProxyArp) I can filter everyone have mac-control of then etc etc. Well I´m like a child playing with it :) But now, have a question there is any way to filter or use an Anti-virus in this network ? To drop packets with virus ?? To scan HTTP request ?? Or maybe use Dansguardian ? Did you has any tip ? I´m running Shorewall 2.2 into a Quad P3 - 1GHZ with 4 GB Memory. (Shorewall is very happy too !! ehehehehe) Thanks alot for this amazing work ! Cheers Carlos Arnt.
Carlos Arnt wrote:> Hi Tom, > > I´m very glad using Shorewall > > I proud to say that use it in my whole network (215 Real IP´s over ProxyArp) > > I can filter everyone have mac-control of then etc etc. > > Well I´m like a child playing with it :) > > But now, have a question there is any way to filter or use an Anti-virus in this network ? > To drop packets with virus ?? To scan HTTP request ?? Or maybe use Dansguardian ? > > Did you has any tip ?I haven''t tried anything with HTTP -- I use amavisd-new with ClamAV and SpamAssassin for email filtering.> > I´m running Shorewall 2.2 into a Quad P3 - 1GHZ with 4 GB Memory. > > (Shorewall is very happy too !! ehehehehe) > > Thanks alot for this amazing work ! >You are welcome. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
If you use squid as a proxy on your firewall, there is a script called "willowbark" that integrates with squidguard and can be used to scan web downloads for viruses prior to them making it to your workstation. It''s not an instantaneous process and the script isn''t without its bugs, but it does work, more or less. On Fri, 07 Jan 2005 08:20:01 -0800, Tom Eastep <teastep@shorewall.net> wrote:> Carlos Arnt wrote: > > Hi Tom, > > > > I´m very glad using Shorewall > > > > I proud to say that use it in my whole network (215 Real IP´s over ProxyArp) > > > > I can filter everyone have mac-control of then etc etc. > > > > Well I´m like a child playing with it :) > > > > But now, have a question there is any way to filter or use an Anti-virus in this network ? > > To drop packets with virus ?? To scan HTTP request ?? Or maybe use Dansguardian ? > > > > Did you has any tip ? > > I haven''t tried anything with HTTP -- I use amavisd-new with ClamAV and > SpamAssassin for email filtering. > > > > I´m running Shorewall 2.2 into a Quad P3 - 1GHZ with 4 GB Memory. > > > > (Shorewall is very happy too !! ehehehehe) > > > > Thanks alot for this amazing work ! > > > > You are welcome. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
try this: http://www.harvest.com.br/asp/afn/dg.nsf squidguard with antivirus support..:) On Fri, 7 Jan 2005 14:07:30 -0200, Carlos Arnt <carlinhos@key.com.br> wrote:> Hi Tom, > > I´m very glad using Shorewall > > I proud to say that use it in my whole network (215 Real IP´s over ProxyArp) > > I can filter everyone have mac-control of then etc etc. > > Well I´m like a child playing with it :) > > But now, have a question there is any way to filter or use an Anti-virus in this network ? > To drop packets with virus ?? To scan HTTP request ?? Or maybe use Dansguardian ? > > Did you has any tip ? > > I´m running Shorewall 2.2 into a Quad P3 - 1GHZ with 4 GB Memory. > > (Shorewall is very happy too !! ehehehehe) > > Thanks alot for this amazing work ! > > Cheers > > Carlos Arnt. > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Robert K Coffman Jr - Info From Data Corporation
2005-Jan-10 13:39 UTC
Securing SSH / DHCP
I''m using SSH to remotely administer several Leaf routers (mix of Bering 1.2 and Bering uClibc 2.2.2) I''d like to limit who can get to that port, however my own IP address is dynamic. I read Tom Eastep''s well reasoned objections to using DNS names in Shorewall rules, so I''m looking for other options. Port knocking seems like a good answer, but doesn''t seem to be available for Bering 1.2. Are there any other options? - Bob Coffman
Yeah, I looked at that one too and wasn''t very impressed. On Fri, 7 Jan 2005 20:41:54 -0300, Cristian Rodriguez <judas.iscariote@gmail.com> wrote:> try this: > > http://www.harvest.com.br/asp/afn/dg.nsf > > squidguard with antivirus support..:) > > > On Fri, 7 Jan 2005 14:07:30 -0200, Carlos Arnt <carlinhos@key.com.br> wrote: > > Hi Tom, > > > > I´m very glad using Shorewall > > > > I proud to say that use it in my whole network (215 Real IP´s over ProxyArp) > > > > I can filter everyone have mac-control of then etc etc. > > > > Well I´m like a child playing with it :) > > > > But now, have a question there is any way to filter or use an Anti-virus in this network ? > > To drop packets with virus ?? To scan HTTP request ?? Or maybe use Dansguardian ? > > > > Did you has any tip ? > > > > I´m running Shorewall 2.2 into a Quad P3 - 1GHZ with 4 GB Memory. > > > > (Shorewall is very happy too !! ehehehehe) > > > > Thanks alot for this amazing work ! > > > > Cheers > > > > Carlos Arnt. > > > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Robert K Coffman Jr - Info From Data Corporation wrote:> I''m using SSH to remotely administer several Leaf routers (mix of Bering 1.2 > and Bering uClibc 2.2.2) > > I''d like to limit who can get to that port, however my own IP address is > dynamic. I read Tom Eastep''s well reasoned objections to using DNS names in > Shorewall rules, so I''m looking for other options. Port knocking seems like > a good answer, but doesn''t seem to be available for Bering 1.2. Are there > any other options? > > - Bob Coffmanknockd may not be available, but you can always use a shell script. Run it every minute, and here''s psuedo-code: if semaphore file exists, time = cat semaphore file if time > (date - 1 hour), then exit else, rm semaphore file close port fi grep log for range (time to date) | grep knock packet if denied knock packet exists, then open port date > semaphore file fi I tend to trust keys, personally. -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
1.disable root login on sshd_config PermitRootLogin no use the AllowUsers directive tu permit only your user or trusted users to login on sshd AllowUsers you boss other-trusted-user thats it. On Mon, 10 Jan 2005 08:39:33 -0500, Robert K Coffman Jr - Info From Data Corporation <bcoffman@infofromdata.com> wrote:> I''m using SSH to remotely administer several Leaf routers (mix of Bering 1.2 > and Bering uClibc 2.2.2) > > I''d like to limit who can get to that port, however my own IP address is > dynamic. I read Tom Eastep''s well reasoned objections to using DNS names in > Shorewall rules, so I''m looking for other options. Port knocking seems like > a good answer, but doesn''t seem to be available for Bering 1.2. Are there > any other options? > > - Bob Coffman > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Robert K Coffman Jr - Info From Data Corporation
2005-Jan-11 14:10 UTC
RE: Securing SSH / DHCP
Thanks Cristian and Jack Coates for the advice. After I posted I realized my brother had a machine with a static IP that I could use to manage these machines, and he was cool with giving me a shell account for this purpose. Until I finish the firewall upgrades, I''ll use that. - Bob Coffman -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Cristian Rodriguez Sent: Monday, January 10, 2005 11:30 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Securing SSH / DHCP 1.disable root login on sshd_config PermitRootLogin no use the AllowUsers directive tu permit only your user or trusted users to login on sshd AllowUsers you boss other-trusted-user thats it.