From owner-freebsd-isp@FreeBSD.ORG  Fri Feb 18 16:19:41 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ED9AA16A4CE
	for <freebsd-isp@freebsd.org>; Fri, 18 Feb 2005 16:19:41 +0000 (GMT)
Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.204])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 37B7C43D39
	for <freebsd-isp@freebsd.org>; Fri, 18 Feb 2005 16:19:41 +0000 (GMT)
	(envelope-from vaida.bogdan@gmail.com)
Received: by rproxy.gmail.com with SMTP id a41so531201rng
        for <freebsd-isp@freebsd.org>; Fri, 18 Feb 2005 08:19:40 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
	b=QFWHk5Sfl6E32FaTMI2JvGaQwUXD5Wb/mRLG16boeGLgzCYSAWPUty1HHH0P17+SBVs5pMvw2YZ/WkH4FkcAHPpzOOzxakWPHvslDvqhK+kBzvjPvUlfWPpzeLmrBP54ABBHrpjRZWiblKn+dSg0h3eJu1aw3BSM9mTIbHn9oLk=
Received: by 10.38.162.43 with SMTP id k43mr65983rne;
        Fri, 18 Feb 2005 08:19:40 -0800 (PST)
Received: by 10.38.71.54 with HTTP; Fri, 18 Feb 2005 08:19:39 -0800 (PST)
Message-ID: <12848a3b05021808196fa92aea@mail.gmail.com>
Date: Fri, 18 Feb 2005 18:19:39 +0200
From: vaida bogdan <vaida.bogdan@gmail.com>
To: freebsd-isp@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: clamav and snat
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: vaida bogdan <vaida.bogdan@gmail.com>
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2005 16:19:42 -0000

Hy, I use postfix+mailscanner on my mail server to block a lot of
virii comming from my internal network. I would like to implement a
solution to block virii traffic on the internal gateway. The network
looks like this:

WIN-
WIN-   ----GW1-----   -----MAIL SERVER-----   -----GW2----
WIN-

GW1 does snat:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  intip/24      anywhere           to:extip 

One (or more) WIN is infected but I don't know which of the 30
computers on the network. I receive virused attachments on the MAIL
SERVER from the GW1's ip. WIN are on the internal network.

An ideea would be to extract mail traffic passing through GW1 in mbox
format and scan it with clamav (but it would still have the snatted
ext ip). I'm looking for better ideeas/implementations. Also, please
tell me which tool should I use to sniff mail on GW1 or if there is a
better solution.

Thanks,
  Vaida Bogdan