This will probably be kind of wordy, but I could use some advice on
how to track it.
I have a freebsd system acting as a gateway (it's using IP
forwarding) so it can act as a web proxy server and filter for the
users. It is also filtering incoming email to act as a mail filter
between the Internet and our internal Exchange server.
The firewall rules used for forwarding information to Squid are
rather simple. Ipfw -list gives:
*******
00049 allow tcp from 10.46.255.253 to any
00050 fwd 10.46.255.253,3128 tcp from any to any 80
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any
********
The DHCP server then hands out the IP of the FreeBSD server as the
gateway address.
Something inside our network is infected with a spam-mailing trojan.
We now have our PIX firewall set to block all outgoing traffic to
port 25 unless it is from our mail server. After setting up a syslog
monitor and checking the logs to see if the culprit would appear,
what should appear but...the FreeBSD server.
Then I smack my forehead; of course it would show up. It's supposed
to be the gateway. The trojan computer hits the BSD system and from
there hits the PIX...the PIX will be useless to find the culprit.
Is there some way to get the FreeBSD system to log machines using
port 25 without interfering with the FreeBSD machine's filtering of
email function? Or at least make the traffic visible to sniffing
with tcpdump or wireshark or ethereal?
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
