Re: [fw-wiz] Pix 535 Logging

From: "Horvath, Kevin M." <KEVIN.M.HORVATH@xxxxxxxx>
Date: Wed, 8 Nov 2006 10:52:19 -0500

Just deny everything external for smtp except for your mail servers and then
configure logging for at least informational (off the top of my head I think
this is what will catch the denies). You could sort out what you want to
see at the syslog server. Or you could use your border router with an
egress acl with a deny on all port 25 traffic except for your mail servers
and put a log at the end of the deny rule (make sure logging is configured
correctly on the router). The router will work depending on where you do
your NAT/PAT and if you use pat before the border then it wont work at all
so you would need to use the firewall rules. Hope this helps.

Cheers,
Kevin

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of James
Burns
Sent: Wednesday, November 08, 2006 5:50 AM
To: Firewall Wizards
Subject: [fw-wiz] Pix 535 Logging

Hi,

I have a quick question regarding logging on a Pix 535.

We're currently getting a lot of CERT notifications for spammers
operating within our network - mainly just students with 0wned machines,
but we're looking into ways to automate the procedure slightly.

Anyway, what I'm looking to do, and what I need help with.... I want to
know if it's possible to log all outbound port 25 connection attempts,
EXCEPT those that come from our authorised MX's and mail servers. AND I
would like to be able to do this in addition to the normal logging that
takes place.

So, is it possible?

Any thoughts and guidance you can provide are very much appreciated.

Cheers,
James

--
James Burns

Network Advisor - Student & Learning Support
University of Sunderland

--
University of Sunderland - life-changing: see our new TV advert at
http://www.lifechangingsunderland.com or http://www.sunderland.ac.uk
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Prev by Date: Re: [fw-wiz] Pix 535 Logging
Next by Date: Re: [fw-wiz] Pix 535 Logging
Previous by thread: Re: [fw-wiz] Pix 535 Logging
Next by thread: Re: [fw-wiz] Pix 535 Logging
Index(es):
- Date
- Thread

Relevant Pages

Re: Some servvices on my edge box slow to reply
... I have a default deny ruleset for both incoming and outgoing packets. ... I'm only logging the interesting ones coming in, ... I've been concerned lately will all the attempts to hack ssh via weak ... my new box with a fresh install of OpenBSD 3.5. ...
(comp.unix.bsd.openbsd.misc)
Re: Block users from logging onto certain machines
... You can use the "deny logon locally" user right to prevent users/groups from logging ... Just keep in mind that administrators are members of the ...
(microsoft.public.win2000.group_policy)
Re: Firewall enabling confusion.
... > enable logging in the message file line shown below. ... sysctl -w net.inet.ip.fw.verbose: 1 ... > rule-based forwarding enabled, default to deny, logging disabled ... To unsubscribe, ...
(freebsd-questions)
Re: woody/sarge vs. stable/testing in sources.list
... But it's still better than logging in to all the ... > down for a few hours for that reason, but my mail servers are always looking ... Verio webhosting? ... Guaranteed downtime: ...
(Debian-User)
Re: SuSEFirewall2 custom rules
... > forwarding and masquerading # but before the logging and deny all ...
(alt.os.linux.suse)