Hi all,
I am planning a firewall for an ISP setup,where I can filter the well known viruses and protect my N/W from intrusion and can be easily monitored and edited. I am planning for iptables as it is much more versatile,can u suggest me to how to go 'bout with the iptables as I'll have to open almost all the ports and block the ones which are prone to viruses and secondly how do I block the common viruses and is it possible to block spam and mail related viruses through iptables(I already got scanners installed on the mail servers) or suggest me with some better alternative or a package for this kind of setup...
Thanx in advance,
Regards,
Sel (The future is Open,the future is bright)
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Wed, 2005-01-19 at 09:18, sel wrote:
me to how to go 'bout with the iptables as I'll have to open almost all the ports and block the ones which are prone to
I think you might be better off blocking all ports and opening only the required ones. But that also brings in to qst. the rights of your users to use ports which you might have blocked (u mentioned ISP?)
secondly how do I block the common viruses and is it possible to block spam and mail related viruses through iptables(I already got scanners installed on the mail servers)
IMHO no. Iptables should be used for blocking and restricting ip's, hosts, servers etc. if you already have scanners, you should be fine (as can be).
regards Erle
sel selmails@yahoo.com writes:
is much more versatile,can u suggest me to how to go 'bout with the iptables as I'll have to open almost all the ports and block the ones which are prone to viruses and secondly how do I block
Sometimes there might be legal programs which use these ports. I'm not sure whether it is the job of the ISP to filter out virus packets. I think it should be the botheration of the client network.. however, it is purely my humble opinion.
Hi Sel,
On Wed, 2005-01-19 at 09:18, sel wrote:
Hi all,
all the ports and block the ones which are prone to viruses and secondly how do I block the common viruses and is it possible to block spam and mail related viruses through iptables(I already got scanners installed on the mail servers)
I would suggest to try this 2 products for your Mail and HTTP/FTP filtering needs. You can make them as transparent as you wish.
WebScan for Linux http://www.mwti.net/antivirus/for_proxies/webscan_linux.asp
MailScan for Linux http://www.mwti.net/antivirus/mailscan/mailscan_for_linux.asp
If you have further queries, please feel free to ask.
Sel (The future is Open,the future is bright)
HTH With regards,
On 18/01/05 19:48 -0800, sel wrote:
Hi all,
I am planning a firewall for an ISP setup,where I can filter the well known viruses and protect my N/W from intrusion and can be easily monitored and edited.
Network diagram? Policy? Are you tying to protect your users? Are you trying to prevent outbound viruses? Are you trying to prevent yuor users from spamming the Internet? Is this a NATing gateway, or do your users have public IP addresses? Are you trying to protect your corporate network? If this is an ethernet network, do you have VLANs in place?
These questions should help you start off correctly.
Devdas Bhagat
On Tue, Jan 18, 2005 at 07:48:44PM -0800, sel wrote:
I am planning a firewall for an ISP setup,where I can filter the well known viruses and protect my N/W from intrusion and can be easily monitored and edited. I am planning for iptables as it is much more
Shouldn't block inbound anything. Let your users block.
Then again, there are some common-sense can't-happen rules that depend on your network setup. For example, private IPs can't be in-bound from the outside, right? So you can drop those packets. You might drop NetBIOS packets.
You can also rate-limit outgoing SMTP, though I'm not sure how. This would be a good idea. Limit it to 1 SMTP connection per 2 seconds or so.
Graylist your inbound SMTP connections.
You *are* running a smarthost for your users, right?
viruses and secondly how do I block the common viruses and is it possible to block spam and mail related viruses through iptables(I already got scanners installed on the mail servers) or suggest me with some better alternative or a package for this kind of setup...
I'd really dislike my ISP doing that. IMO that's the user's look-out.
On 19/01/05 07:31 -0500, Satya wrote:
On Tue, Jan 18, 2005 at 07:48:44PM -0800, sel wrote:
I am planning a firewall for an ISP setup,where I can filter the well known viruses and protect my N/W from intrusion and can be easily monitored and edited. I am planning for iptables as it is much more
Shouldn't block inbound anything. Let your users block.
Seriously, about the only things justifably blockable by an ISP today are: NetBIOS (135-139 UDP/TCP) CIFS (445/TCP) Outbound port 25 Inbound port 25 for dynamic IP addresses.
Note that port 25 blocking MUST be accompanied by providing a smarthost for users, which does not enforce domain name restrictions (which, IMNSHO are stupid). SMTP AUTH and ratelimiting are useful things to do on the outbound server. This MUST not be the same as the inbound server.
People who want to use other SMTP servers should be using 587/TCP.
Then again, there are some common-sense can't-happen rules that depend on your network setup. For example, private IPs can't be in-bound from the outside, right? So you can drop those packets. You might drop NetBIOS packets.
You can also rate-limit outgoing SMTP, though I'm not sure how. This would be a good idea. Limit it to 1 SMTP connection per 2 seconds or so.
Graylist your inbound SMTP connections.
Ewwwwwwwwwwwww. Does not really scale for higher volumes of mail, but is reasonably useful on a low volume server.
You *are* running a smarthost for your users, right?
viruses and secondly how do I block the common viruses and is it possible to block spam and mail related viruses through iptables(I already got scanners installed on the mail servers) or suggest me with some better alternative or a package for this kind of setup...
I'd really dislike my ISP doing that. IMO that's the user's look-out.
Agreed
Devdas Bhagat
On Wed, Jan 19, 2005 at 08:44:45PM +0530, Devdas Bhagat wrote: [block]
Inbound port 25 for dynamic IP addresses.
Why?
[I wrote]
Graylist your inbound SMTP connections.
Ewwwwwwwwwwwww. Does not really scale for higher volumes of mail, but is reasonably useful on a low volume server.
Why? I'd think once you got legit mail from a domain you'd whitelist it. And you'd start by whitelisting known legit domains, if you have a list of known legit domains.
On 19/01/05 14:58 -0500, Satya wrote:
On Wed, Jan 19, 2005 at 08:44:45PM +0530, Devdas Bhagat wrote: [block]
Inbound port 25 for dynamic IP addresses.
Why?
Source routed SMTP connections. Blocking respones from port 25 to dynamic IPs is also recommended to stop this. Plus, running a SMTP server on a dynamic IP is just not reliable enough.
[I wrote]
Graylist your inbound SMTP connections.
Ewwwwwwwwwwwww. Does not really scale for higher volumes of mail, but is reasonably useful on a low volume server.
Why? I'd think once you got legit mail from a domain you'd whitelist it. And you'd start by whitelisting known legit domains, if you have a list of known legit domains.
Greylisting stores a sender/recipient/sending host triplet. On large volumes of mail, that store gets a bit larger than the memory available :).
Plus, there are a lot of implementations where mail will fall back to a different host if the first attempt fails (particularly the high volume senders).
Devdas Bhagat
-
Devdas Bhagat -
Dinesh Shah -
Erle Pereira -
Joe Steeve -
Satya -
sel