PF and CLamAV "Integration" - how to do it?

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

PF and CLamAV "Integration" - how to do it?

Protocol Six Consulting-2
Hi,

I was wondering if anyone here knows how to integrate the PF firewall
with ClamAV.

I am planning on putting into production an OpenBSD firewall and would
like to do virus scanning at the network perimeter.
I am definitely interested in scanning email traffic, but also possibly
Web and IRC (and any other traffic types that makes sense) for a group
of 25 people.

Unfortunately I've not seen any real discussion or howtos for this type
of integration.
I've also looked in the PF FAQ pages and in the archives of Openbsd-misc
or Openbsd-PF.
Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on
this topic either.

I suspect my mental picture of how PF and ClamAV work together may be
flawed or incomplete.
I guess I'm assuming there is a way to have PF pass information directly
to ClamAV, but perhaps some middle-ware glue is necessary.

Any pointers and/or info would be greatly appreciated by this newbie.

Thanks and best regards,

:-)

Sarah

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Jesus Sanchez
Protocol Six Consulting escribis:

> Hi,
>
> I was wondering if anyone here knows how to integrate the PF firewall
> with ClamAV.
>
> I am planning on putting into production an OpenBSD firewall and would
> like to do virus scanning at the network perimeter.
> I am definitely interested in scanning email traffic, but also
> possibly Web and IRC (and any other traffic types that makes sense)
> for a group of 25 people.
>
> Unfortunately I've not seen any real discussion or howtos for this
> type of integration.
> I've also looked in the PF FAQ pages and in the archives of
> Openbsd-misc or Openbsd-PF.
> Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on
> this topic either.
>
> I suspect my mental picture of how PF and ClamAV work together may be
> flawed or incomplete.
> I guess I'm assuming there is a way to have PF pass information
> directly to ClamAV, but perhaps some middle-ware glue is necessary.
>
> Any pointers and/or info would be greatly appreciated by this newbie.
>
> Thanks and best regards,
>
> :-)
>
> Sarah
>
>
1+
one more interested in this here!

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Janne Johansson
In reply to this post by Protocol Six Consulting-2
Protocol Six Consulting wrote:
> I was wondering if anyone here knows how to integrate the PF firewall
> with ClamAV.

8<

> Unfortunately I've not seen any real discussion or howtos for this type
> of integration.

For anything else than really small sites, having a program watch each
and every packets that flows by will be very painful.
That's why the mailserver gets to check the mails, and other parts check
their own traffic.

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Morris, Roy
In reply to this post by Protocol Six Consulting-2
my first search came up with an answer
http://www.wains.be/index.php/2006/12/19/centosrhelfedora-web-proxy-antivirus
-clamav/


-----Original Message-----
From: [hidden email] [mailto:[hidden email]]On Behalf Of
Protocol Six Consulting
Sent: Thursday, March 19, 2009 10:28 AM
To: [hidden email]
Subject: PF and CLamAV "Integration" - how to do it?


Hi,

I was wondering if anyone here knows how to integrate the PF firewall
with ClamAV.

I am planning on putting into production an OpenBSD firewall and would
like to do virus scanning at the network perimeter.
I am definitely interested in scanning email traffic, but also possibly
Web and IRC (and any other traffic types that makes sense) for a group
of 25 people.

Unfortunately I've not seen any real discussion or howtos for this type
of integration.
I've also looked in the PF FAQ pages and in the archives of Openbsd-misc
or Openbsd-PF.
Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on
this topic either.

I suspect my mental picture of how PF and ClamAV work together may be
flawed or incomplete.
I guess I'm assuming there is a way to have PF pass information directly
to ClamAV, but perhaps some middle-ware glue is necessary.

Any pointers and/or info would be greatly appreciated by this newbie.

Thanks and best regards,

:-)

Sarah

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Tim Donahue-4
In reply to this post by Protocol Six Consulting-2
Protocol Six Consulting wrote:

> Hi,
>
> I was wondering if anyone here knows how to integrate the PF firewall
> with ClamAV.
>
> I am planning on putting into production an OpenBSD firewall and would
> like to do virus scanning at the network perimeter.
> I am definitely interested in scanning email traffic, but also possibly
> Web and IRC (and any other traffic types that makes sense) for a group
> of 25 people.

For email, I used to run Postfix on my firewall.  Postfix would scan the
mail using amavisd-new (which scanned the mail with SpamAssassin and
ClamAV) and would pass the clean mail to our internal Exchange server.
Here is a good guide on how to configure this sort of relay.

http://flakshack.com/anti-spam/wiki/index.php

> Unfortunately I've not seen any real discussion or howtos for this type
> of integration.
> I've also looked in the PF FAQ pages and in the archives of Openbsd-misc
> or Openbsd-PF.
> Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on
> this topic either.
>
> I suspect my mental picture of how PF and ClamAV work together may be
> flawed or incomplete.
> I guess I'm assuming there is a way to have PF pass information directly
> to ClamAV, but perhaps some middle-ware glue is necessary.

You would need some sort of proxy to reassemble the files to scan with
ClamAV.  PF can transparently pass traffic to squid, which I believe can
use ClamAV for scanning.  I found this email on to configure PF to pass
the traffic to squid.

http://marc.info/?l=squid-users&m=120938897115089&w=2


Tim Donahue

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?1,$

Dennis Davis
In reply to this post by Protocol Six Consulting-2
On Thu, 19 Mar 2009, Protocol Six Consulting wrote:

> From: Protocol Six Consulting <[hidden email]>
> To: [hidden email]
> Date: Thu, 19 Mar 2009 10:27:43 -0400
> Subject: PF and CLamAV "Integration" - how to do it?
> Reply-To: [hidden email]
>
> I was wondering if anyone here knows how to integrate the PF
> firewall with ClamAV.
>
> I am planning on putting into production an OpenBSD firewall and
> would like to do virus scanning at the network perimeter.  I am
> definitely interested in scanning email traffic, but also possibly
> Web and IRC (and any other traffic types that makes sense) for a
> group of 25 people.

...

> Any pointers and/or info would be greatly appreciated by this
> newbie.

You might find Wil Knolls's paper mentioned in:

http://undeadly.org/cgi?action=article&sid=20081220195047

useful background reading.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[hidden email]               Phone: +44 1225 386101

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

uw.o3si.de
In reply to this post by Protocol Six Consulting-2
Hi Sarah,

try to make a search in ports tree for different kind of proxies:

Port:   havp-0.89
Path:   www/havp
Info:   web proxy with antivirus filter
Maint:  Giovanni Bechis <[hidden email]>
Index:  www
L-deps: clamav.>=1::security/clamav
B-deps: :devel/gmake
R-deps:
Archs:  any

For scanning mails there are a lot of tutorials right now...

Regards Uwe

Protocol Six Consulting(contact.us) wrote:

> Hi,
>
> I was wondering if anyone here knows how to integrate the PF firewall  
> with ClamAV.
>
> I am planning on putting into production an OpenBSD firewall and would  
> like to do virus scanning at the network perimeter.
> I am definitely interested in scanning email traffic, but also possibly  
> Web and IRC (and any other traffic types that makes sense) for a group  
> of 25 people.
>
> Unfortunately I've not seen any real discussion or howtos for this type  
> of integration.
> I've also looked in the PF FAQ pages and in the archives of Openbsd-misc  
> or Openbsd-PF.
> Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on  
> this topic either.
>
> I suspect my mental picture of how PF and ClamAV work together may be  
> flawed or incomplete.
> I guess I'm assuming there is a way to have PF pass information directly  
> to ClamAV, but perhaps some middle-ware glue is necessary.
>
> Any pointers and/or info would be greatly appreciated by this newbie.
>
> Thanks and best regards,
>
> :-)
>
> Sarah

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Marc Balmer-2
In reply to this post by Protocol Six Consulting-2
Am 19.03.2009 um 15:27 schrieb Protocol Six Consulting:

> Hi,
>
> I was wondering if anyone here knows how to integrate the PF  
> firewall with ClamAV.

smtp-vilter, which is in ports, does that,

>
> I am planning on putting into production an OpenBSD firewall and  
> would like to do virus scanning at the network perimeter.
> I am definitely interested in scanning email traffic, but also  
> possibly Web and IRC (and any other traffic types that makes sense)  
> for a group of 25 people.
>
> Unfortunately I've not seen any real discussion or howtos for this  
> type of integration.
> I've also looked in the PF FAQ pages and in the archives of Openbsd-
> misc or Openbsd-PF.
> Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch  
> on this topic either.
>
> I suspect my mental picture of how PF and ClamAV work together may  
> be flawed or incomplete.
> I guess I'm assuming there is a way to have PF pass information  
> directly to ClamAV, but perhaps some middle-ware glue is necessary.
>
> Any pointers and/or info would be greatly appreciated by this newbie.

smtp-vilter can add virus senders to a pf table.

>
> Thanks and best regards,
>
> :-)
>
> Sarah

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Kamil Monticolo-2
In reply to this post by Protocol Six Consulting-2
> Hi,
>
> Any pointers and/or info would be greatly appreciated by this newbie.
>
> Thanks and best regards,
>
> :-)
>
> Sarah
>  

If you want, you may try also http://comixwall.org/ .
It's OpenBSD based IDS-like tool to provide complex antivirus,
firewall with security, monitoring capabilities and quite nice
web-based GUI for local networks.
After some tweaks it works like a charm ;)
--
Kamil Monticolo

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

John Cosimano
In reply to this post by Marc Balmer-2
--- Marc Balmer [Thu, Mar 19, 2009 at 07:36:18PM +0100]: ---
> Am 19.03.2009 um 15:27 schrieb Protocol Six Consulting:
>
>> Hi,
>>
>> I was wondering if anyone here knows how to integrate the PF firewall
>> with ClamAV.
>
> smtp-vilter, which is in ports, does that,

i started paying attention to this thread because i've been interested
in setting up clamav for sometime. i noticed that there's a
clamav-milter(8) that gets installed as part of the clamav package.

is the general consensus of those in the know to use smtp-vilter instead
of clamav-milter for these purposes?

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Stuart Henderson
On 2009-03-20, jmc <[hidden email]> wrote:

> --- Marc Balmer [Thu, Mar 19, 2009 at 07:36:18PM +0100]: ---
>> Am 19.03.2009 um 15:27 schrieb Protocol Six Consulting:
>>
>>> Hi,
>>>
>>> I was wondering if anyone here knows how to integrate the PF firewall
>>> with ClamAV.
>>
>> smtp-vilter, which is in ports, does that,
>
> i started paying attention to this thread because i've been interested
> in setting up clamav for sometime. i noticed that there's a
> clamav-milter(8) that gets installed as part of the clamav package.
>
> is the general consensus of those in the know to use smtp-vilter instead
> of clamav-milter for these purposes?
>
>

I'd suggest smtp-vilter or MailScanner, both work well for me.

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

pedro la peu-2
In reply to this post by John Cosimano
On Friday 20 March 2009 11:15:05 jmc wrote:
> i started paying attention to this thread because i've been interested
> in setting up clamav for sometime. i noticed that there's a
> clamav-milter(8) that gets installed as part of the clamav package.
>
> is the general consensus of those in the know to use smtp-vilter
> instead of clamav-milter for these purposes?

Yes, because there are no developers recommending clamav-milter.

I'm not sure it matters, you only catch some bank phish, not much
benefit for the effort expended.

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Rod Whitworth-3
On Sat, 21 Mar 2009 01:35:57 +0000, Pedro la Peu wrote:

>I'm not sure it matters, you only catch some bank phish, not much
>benefit for the effort expended.

Unless you have some tasty poker chips to serve with them ;-)
*** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

John Cosimano
In reply to this post by pedro la peu-2
--- Pedro la Peu [Sat, Mar 21, 2009 at 01:35:57AM +0000]: ---
> On Friday 20 March 2009 11:15:05 jmc wrote:
> > i started paying attention to this thread because i've been interested
> > in setting up clamav for sometime. i noticed that there's a
> > clamav-milter(8) that gets installed as part of the clamav package.
> >
> > is the general consensus of those in the know to use smtp-vilter
> > instead of clamav-milter for these purposes?
>
> Yes, because there are no developers recommending clamav-milter.

yep, that's good enough for me. i only paused to ask becuase i had not
yet dealt with the milter end of my anti-virus subsystem. after
installing smtp-vilter and reading the dox, it became clear it's the
package i need to be using... i now have it up and running with the
clamav backend only. still reading up on the rest of the possibilities.

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Marc Balmer-2
In reply to this post by John Cosimano
Am 20.03.2009 um 12:15 schrieb jmc:

> --- Marc Balmer [Thu, Mar 19, 2009 at 07:36:18PM +0100]: ---
>> Am 19.03.2009 um 15:27 schrieb Protocol Six Consulting:
>>
>>> Hi,
>>>
>>> I was wondering if anyone here knows how to integrate the PF  
>>> firewall
>>> with ClamAV.
>>
>> smtp-vilter, which is in ports, does that,
>
> i started paying attention to this thread because i've been interested
> in setting up clamav for sometime. i noticed that there's a
> clamav-milter(8) that gets installed as part of the clamav package.
>
> is the general consensus of those in the know to use smtp-vilter  
> instead
> of clamav-milter for these purposes?
>

Well, I am biased (I wrote smtp-vilter).  I wrote it quite some time ago
because clamav-milter's quality was really bad.  And I needed
LDAP and PF integration.  smtp-vilter was written with OpenBSD in
mind.

Reply | Threaded
Open this post in threaded view
|

Re: PF and CLamAV "Integration" - how to do it?

Protocol Six Consulting-2
Hi.

Thanks by the way for all this great feedback about ClamAV and PF
integration. Am learning a lot here. :-)

Just curious though about typical use-cases for smtp-vilter....

I can see the PF integration being a great way to isolate virus-infected
hosts on a LAN by putting their IP addresses into a quarantine table on
the border firewall. Once the virus has been cleaned the host is removed
from the table (by the administrator) so that it can access the Internet
again.

Just curious, what response-policies do folks use (with smtp-vilter)
when hosts on the Internet send infected emails?
Do you block those hosts outright?
Or do you remove any attachments/pictures first and then forward just
the message body to the intended recipient?

I think smtp-vilter has just the right feature set.

:-)

Sarah




Marc Balmer wrote:

> Well, I am biased (I wrote smtp-vilter).  I wrote it quite some time ago
> because clamav-milter's quality was really bad.  And I needed
> LDAP and PF integration.  smtp-vilter was written with OpenBSD in
> mind.