Re: [LARTC] management of virus and p2p-traffic

From: Ed Wildgoose <lists@wildgooses.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] management of virus and p2p-traffic
Date: Tue, 22 Jun 2004 11:20:06 +0000	[thread overview]
Message-ID: <40D815E6.1000903@wildgooses.com> (raw)
In-Reply-To: <1087839362.4786.0.camel@turtle>

Ralf Staudemeyer wrote:

>On Mon, 2004-06-21 at 17:06, Ed Wildgoose wrote:
>  
>
>>>The Windows machines with their viruses give me a
>>>headache. I do not want to enforce remote Windows patching and
>>>virusscanner updating. It should also be taken into account that there
>>>is nearly no money available for any special equipment. Best would be to
>>>get this job done with a couple of old computers.
>>> 
>>>
>>>      
>>>
>>One thing you could address is that most virus's arrive via smtp. Can 
>>you scan inbound smtp traffic, perhaps with clamav?  Or do users have 
>>their own external email accounts?
>>
>>
>>    
>>
>We have a Novel Groupwise service that should be used for email (via the
>managed 3Mbit connection). That system supports spam-filtering and
>virus-scanning. Unfortunately that service does not support any security
>functions and is not reliable. There will be not much change about that.
>So I want and I must support users who use their external email
>accounts.
>  
>

A quick search on google suggests that you can get a POP3 transparent 
proxy which will do virus scanning.  This is also used and maintained by 
Astaro Linux firewall.
See http://p3scan.sourceforge.net/

Perhaps you could look at something like Astaro with a bridging firewall 
to get the bulk of your requirements sorted (or just roll your own 
(Shorewall?) if you are happy with iptables)

Second problem is splitting traffic between your two internet 
connections.  This is very possible, read the LARTC faq for basic 
details and then come back here with specific questions

The other stuff is easily possible, but for the number of users that you 
have you are going to need to invest some time to write some scripts to 
handle mapping users to MAC addresses and make the whole thing 
maintainable.  There was another post only hours ago from at least one 
other person who you might contact to see if they will share some stuff.

P2P is pretty easy to control.  Try kernel patches for "ippp" or 
"l7-filter" (both on sf.net I think).  This lets you simply filter 
traffic using iptables.

You mentioned time based rules.  I think there are patches to iptables 
to handle this.  Alternatively you could have two scripts which run from 
cron to switch rules.  A further, and perhaps easier possibility, is to 
use the QOS rules to prioritise everything else and simply leave 
unwanted traffic in the "left over" bucket.  This will mean that P2P 
users cannot affect your normal traffic, but if the link is idle at any 
time of day or night then they can use up to the max amount, but only if 
it's idle.  This is perhaps good enough and easier to configure.

You need to have read the LARTC faq, and browsed the iptables docs or 
you will find this quite advanced.  I suggest that you break the problem 
up into parts.

If you aren't completely technical, or pushed for time then you might 
want to consider hiring someone, or looking at a prebuilt solution.  
Your requirements are all possible though.

Ed W

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/