DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th September 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Thanked 0 Times in 0 Posts
Default antivirus gateway

Hello, at work, we have openbsd 4.3 with pf and 2 network cards. Openbsd machine is configured as a gateway for our network (it provides internet to us).
I wish to add an antivirus (like clamav or others) on openbsd machine and so have an antivirus gateway. How can i do that ? I need to modify my pf.conf ?
Reply With Quote
  #2   (View Single Post)  
Old 12th September 2008
RudiK RudiK is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Thanked 0 Times in 0 Posts
Default

Are you running email and a proxy (squid) on the gateway?
Reply With Quote
  #3   (View Single Post)  
Old 12th September 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

Typically, Milo, virus scanning over-the-network is accomplished two ways:
  1. During transmission of incoming and outgoing e-mail. The test is performed at the Mail User Agent -- MUA -- (e-mail client), and/or by a Mail Transfer Agent -- MTA -- (e-mail server) en route. ClamAV in particular is designed to interface with MTAs for this purpose.
  2. Remote filesystem scanning. NFS and/or SMB mounts are used, as needed. An example of using ClamAV with SMB mounts can be found in Dru Levigne's BSD Hacks, O'Reilly Media ISBN 0-596-00679-9. If I recall -- I don't have the book in front of me -- sharity-light was the port/package used in the example.

Last edited by jggimi; 12th September 2008 at 11:47 AM.
Reply With Quote
  #4   (View Single Post)  
Old 12th September 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

For HTTP/FTP traffic, you can use Squid with HAVP/ClamAV on the gateway.
Reply With Quote
  #5   (View Single Post)  
Old 12th September 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

(in other words, there is no "let pf redirect all traffic through a virus scanner" type of solution)
Reply With Quote
  #6   (View Single Post)  
Old 13th September 2008
hydra's Avatar
hydra hydra is offline
Port Guard
 
Join Date: May 2008
Location: Slovakia (Europe)
Posts: 41
Thanked 0 Times in 0 Posts
Default

For HTTP/FTP traffic we use Dansguardian-Havp-Squid, works pretty well.
Reply With Quote
  #7   (View Single Post)  
Old 13th September 2008
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 107
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by milo974 View Post
Hello, at work, we have openbsd 4.3 with pf and 2 network cards. Openbsd machine is configured as a gateway for our network (it provides internet to us).
I wish to add an antivirus (like clamav or others) on openbsd machine and so have an antivirus gateway. How can i do that ? I need to modify my pf.conf ?
I have 3 smtp gateways that serve 2 Linux Email Servers.
I use OpenBSD's spamd, Amavisd-New , SpamAssassin, ClamAV , DCC and Razor..


You will need to modify your pf.conf for spamd but if you look in the default (installed)
pf.conf ,the settings are there..
- There are a few more steps / tweaks but not difficult..

Spamd is well documented but if you want I can post my setup..

For the others, this what I followed /used.. it is a bit older and you need to make
a few minor changes..
http://www.kernel-panic.it/openbsd/mail/mail6.html

Note:
I used the package system for this and found there are 3 items not
included in the package system
- freeze
- unarj
- unrar
These will need to be installed from ports...

Note2:
This also uses Postfix as the MTA - not Sendmail...

DCC and Razor
I also added DCC and Razor using this:
DCC Link
http://flakshack.com/anti-spam/wiki/...Installing+DCC
Razor Link
http://flakshack.com/anti-spam/wiki/...stalling+Razor

These links are also older but the instructions still apply..

I did this on a test box first because getting amavisd-new configured took a bit of time..

My Steps
- Installed freeze , unarj and unrar through ports
- Installed amavisd-new through packages (this pulls in spamassasin and clamav IIRC.
- Once I was receiving email and sending email without issue
(check your maillogs for errors... big help as to what is going on..)

- After I was happy with system - I then added DCC and Razor

Note:
DCC and Razor are "activated" through SpamAssassin..
I had some trouble figuring where to enable them..
It is
/etc/mail/spamassassin/v310.pre

hth
rk

Final Note:
After all this discussion with me and myself I will probably write a Guide on this as to not have
to remember all the steps...

Give this a shot first.. if you are comfortable on the command line and do... take some time reading
before the "cut and paste" it sure does help..

- I can't stress this enough... your maillog will really help you debug any problems you have..
__________________
All posts sent on ReCycled Electrons...

Last edited by roundkat; 13th September 2008 at 11:54 AM.
Reply With Quote
  #8   (View Single Post)  
Old 13th September 2008
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Thanked 0 Times in 0 Posts
Default

thank's for yours answers !! very good !! i will test the squid config with clamav ...
Reply With Quote
  #9   (View Single Post)  
Old 13th September 2008
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 107
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by milo974 View Post
thank's for yours answers !! very good !! i will test the squid config with clamav ...
No worries..

Let us know how you make out..

rk
__________________
All posts sent on ReCycled Electrons...
Reply With Quote
Old 14th September 2008
Sunnz's Avatar
Sunnz Sunnz is offline
Real Name: I don't have real time
Just a computer user...
 
Join Date: May 2008
Location: See Google Maps
Posts: 101
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by hydra View Post
For HTTP/FTP traffic we use Dansguardian-Havp-Squid, works pretty well.
Hey may I ask how would this work?

I already have Squid running here... so is that a plug in to install??
__________________
She sells C shells by the seashore.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Another gateway box question windependence FreeBSD General 3 11th November 2008 09:15 PM
FreeBSD Gateway tad1214 FreeBSD Ports and Packages 4 11th July 2008 05:31 AM
Error 504 gateway timeout bsdbsd FreeBSD General 0 15th June 2008 01:06 PM
Problem at the install with a pc gateway mastersabin FreeBSD Installation and Upgrading 1 4th June 2008 07:47 PM
Dual WAN gateway. LordZ OpenBSD Security 2 2nd June 2008 09:00 AM


All times are GMT. The time now is 12:22 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick