On Tue, 12 Sep 2006 15:51:08 -0400
Bart Silverstrim [EMAIL PROTECTED] wrote:
Something inside our network is infected with a spam-mailing trojan.
We now have our PIX firewall set to block all outgoing traffic to
port 25 unless it is from our mail server.
you should also accept only
This will probably be kind of wordy, but I could use some advice on
how to track it.
I have a freebsd system acting as a gateway (it's using IP
forwarding) so it can act as a web proxy server and filter for the
users. It is also filtering incoming email to act as a mail filter
between
In response to Bart Silverstrim [EMAIL PROTECTED]:
This will probably be kind of wordy, but I could use some advice on
how to track it.
I have a freebsd system acting as a gateway (it's using IP
forwarding) so it can act as a web proxy server and filter for the
users. It is also
On Sep 12, 2006, at 1:08 PM, Bill Moran wrote:
Is there some way to get the FreeBSD system to log machines using
port 25 without interfering with the FreeBSD machine's filtering of
email function? Or at least make the traffic visible to sniffing
with tcpdump or wireshark or ethereal?
Off the
In response to Chuck Swiger [EMAIL PROTECTED]:
On Sep 12, 2006, at 1:08 PM, Bill Moran wrote:
Is there some way to get the FreeBSD system to log machines using
port 25 without interfering with the FreeBSD machine's filtering of
email function? Or at least make the traffic visible to
On Sep 12, 2006, at 4:28 PM, Chuck Swiger wrote:
On Sep 12, 2006, at 1:08 PM, Bill Moran wrote:
Is there some way to get the FreeBSD system to log machines using
port 25 without interfering with the FreeBSD machine's filtering of
email function? Or at least make the traffic visible to
On Sep 12, 2006, at 1:37 PM, Bart Silverstrim wrote:
Better to use something like:
ipfw add 1 log tcp from any to me 25 setup
If Bart would like to use tcpdump for the same purpose, consider
running something like:
tcpdump -nt 'port 25 and (tcp[tcpflags] tcp-syn != 0)'
On Sep 12, 2006, at 4:45 PM, Chuck Swiger wrote:
On Sep 12, 2006, at 1:37 PM, Bart Silverstrim wrote:
Better to use something like:
ipfw add 1 log tcp from any to me 25 setup
If Bart would like to use tcpdump for the same purpose, consider
running something like:
tcpdump
There's a kernel option you need to enable for IPFW to do
logging.
If you're kldload'ing the ipfw module, it probably wasn't compiled
with IPFW_LOGGING or whatever the exact name is.
I had set the verbosity (I think that was the parameter) from
googling around earlier, but that
