Firewall Wizards mailing list archives
Re: RE: IDS
From: Chuck Swiger <chuck () codefab com>
Date: Tue, 24 Jan 2006 08:22:52 -0500
Ben Nagy wrote: [ ... ]
[Paul]If you mean "unexpected internal host" then again, I'll say that there's likey been a larger policy or implementation failure. It doesn't take on-the-wire sniffing to see something new trying to relay through the relayhost on my network.What's your preferred method for noticing this stuff? (I'm certainly not being sarcastic here) If an internal host is trying to reach port 25 on an external host (or even a non-mailserver on the inside) then how do you suggest that should be detected? The firewall deny logs will catch the outbound traffic, but now we're talking log analysis tools or SIM products to pull the data. What about the internal traffic from trusted host -> trusted host?
If you're not running a firewall that doesn't let you decide which rules should generate logging, then yes, you're going to need to do more work to analyze those logs.
However, some time ago, before viruses came with their own SMTP engines, an IPFW ruleset like this worked pretty well:
# permit SMTP exchange between pi and pong add pass tcp from PI HIPORTS to PONG 25 setup add pass tcp from PONG 25 to PI HIPORTS established add pass tcp from PONG HIPORTS to PI 25 setup add pass tcp from PI 25 to PONG HIPORTS established # track SMTP from inside to outside and block SMTP from outside add pass log logamount 20 tcp from INET HIPORTS to any 25 setup add pass tcp from INET HIPORTS to any 25 established add unreach filter-prohib log tcp from any to INET 25[ Where PI and PONG are macros which expand to the IP addresses of my external MX relay and the internal reader box, HIPORTS means 1024-65535, and INET refers to the internal network. ]
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: FW appliance comparison - Seeking input for the forum, (continued)
- RE: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 19)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum david_harris (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum sai (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Devdas Bhagat (Jan 23)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 23)
- RE: IDS (was: FW appliance comparison) Ben Nagy (Jan 24)
- Re: RE: IDS Chuck Swiger (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Patrick M. Hausen (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) ArkanoiD (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Paul D. Robertson (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Cat Okita (Jan 24)
- Re: RE: IDS (was: FW appliance comparison) Joseph S D Yao (Jan 25)
- Re: RE: IDS (was: FW appliance comparison) chris (Jan 24)