Date: Sat, 19 Feb 2005 01:53:56 +0200 From: Ion-Mihai Tetcu <itetcu@people.tecnik93.com> To: vaida bogdan <vaida.bogdan@gmail.com> Cc: freebsd-isp@freebsd.org Subject: Re: clamav and snat Message-ID: <20050219015356.53076ae6@it.buh.tecnik93.com> In-Reply-To: <12848a3b05021808196fa92aea@mail.gmail.com> References: <12848a3b05021808196fa92aea@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Feb 2005 18:19:39 +0200 vaida bogdan <vaida.bogdan@gmail.com> wrote: > Hy, I use postfix+mailscanner on my mail server to block a lot of > virii comming from my internal network. I would like to implement a > solution to block virii traffic on the internal gateway. The network > looks like this: > > WIN- > WIN- ----GW1----- -----MAIL SERVER----- -----GW2---- > WIN- > > GW1 does snat: > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > SNAT all -- intip/24 anywhere to:extip > > One (or more) WIN is infected but I don't know which of the 30 > computers on the network. I receive virused attachments on the MAIL > SERVER from the GW1's ip. WIN are on the internal network. > > An ideea would be to extract mail traffic passing through GW1 in mbox > format and scan it with clamav (but it would still have the snatted > ext ip). I'm looking for better ideeas/implementations. Also, please > tell me which tool should I use to sniff mail on GW1 or if there is a > better solution. I'm not familiar with the snat you're using but couldn't you: redirect GW1_intip:25 to loopback:25 before NATing put a transparent smtp proxy to listen on loopback:25 and relay on MIALSERVER tail -f /path/to/proxy_log smtp proxy could be mail/dspampd or security//clamsmtp -- IOnut Unregistered ;) FreeBSD "user"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050219015356.53076ae6>