On Sun, 19 May 2002, Shawn wrote: > If any of these questions would be more appropriate on the Shorewall mailing > list, please let me know... > > I have a small client (about 25 users) currently running SyGate. I will be > replacing it with Bering in the next week or so and have a couple questions: > > 1) The client currently uses their ISP for email services and all of their > users POP their mail. Is there any way to do virus scanning on the incoming > email using Bering? I have email attachment scanning on the desktops but it > would be nice to stop this stuff at the firewall. >
That would require some sort of pop3 proxy with virus scanning (I don't know of such a thing but there may be one). > 2) With SyGate's logs, it will show you the web sites visited by FQDN. Is > there anyway to get the Bering/Shorewall logs to display by FQDN rather than > IP address? Manually resolving the IP addresses to FQDNs in order to see > what web sites have been visited is a tedious process. It would be nice to > look in the logs and be able to see that, for example, the user with IP > address 192.168.0.20 has accessed www.playboy.com rather than > 209.247.228.201. Run Squid on your firewall and configure it as a transparent proxy -- you'll have very detailed logs (but you will need a hard drive on your Bering box). > > 3) On a related note to #2 above: Is there any way to blacklist/whitelist > based on FQDN rather than IP address? My client only allows Internet access > to a few approved sites, i.e., all sites are blacklisted unless explicitly > allowed in the whitelist. SyGate does not allow whitelisting based on FQDN > either, but it seems strange to me that if you want to blacklist/whitelist a > site (e.g., www.siemens.com) you have to ping it for its IP address and > enter that in the blacklist/whitelist. You had better take another look at what Shorewall whitelisting and blacklisting does -- you do NOT want to whitelist external IP addresses because the whitelist is based on SOURCE ADDRESS as is the blacklist. The Shorewall blacklist is used to deny a list of hosts/networks access to YOUR network and the whitelist is used to give special priviledge to your network administration workstations without having to create special rules. So if you want to police which web sites people can visit, you don't want to use these Shorewall lists. Again, Squid is a much better tool for enforcing web access policy. > > I have read the Shorewall explanation of only accepting IPs > rather than FQDN, but I'm a little confused. Here's the explanation: > > "9. Why does Shorewall only accept IP addresses as opposed to FQDNs? > FQDNs in iptables rules aren't nearly as useful as they first appear. When a > DNS name appears in a rule, the iptables utility resolves the name to one or > more IP addresses and inserts those addresses into the rule. So change in > the DNS->IP address relationship that occur after the firewall has started > have absolutely no effect on the firewall's ruleset." > > How is manually entering an IP address into a ruleset any more effective > than entering a FQDN and hoping the DNS->IP relationship doesn't go stale? > In either case, if the IP address is no longer valid, then the rule won't > work. Most people who complain about Shorewall not accepting FQDNs want the firewall to automatically adapt to their friends' dyndns.org FQDN for tunnels, games, etc. The FAQ is simply pointing out that FQDNs in iptables rules doesn't make this process automatic -- you still have to restart YOUR firewall every time HIS/HER IP address changes. And be sure to read the rest of the FAQ that you are quoting -- making the ability to start your firewall dependent on factors over which you have no control (i.e., the ability to resolve arbitrary DNS names) is IMHO just plain foolish. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] _______________________________________________________________ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
