1+
one more interested in this here!

8<
For anything else than really small sites, having a program watch each
and every packets that flows by will be very painful.
That's why the mailserver gets to check the mails, and other parts check
their own traffic.

my first search came up with an answer
http://www.wains.be/index.php/2006/12/19/centosrhelfedora-web-proxy-antivirus
-clamav/


-----Original Message-----
From: owner-***@openbsd.org [mailto:owner-***@openbsd.org]On Behalf Of
Protocol Six Consulting
Sent: Thursday, March 19, 2009 10:28 AM
To: ***@openbsd.org
Subject: PF and CLamAV "Integration" - how to do it?


Hi,

I was wondering if anyone here knows how to integrate the PF firewall
with ClamAV.

I am planning on putting into production an OpenBSD firewall and would
like to do virus scanning at the network perimeter.
I am definitely interested in scanning email traffic, but also possibly
Web and IRC (and any other traffic types that makes sense) for a group
of 25 people.

Unfortunately I've not seen any real discussion or howtos for this type
of integration.
I've also looked in the PF FAQ pages and in the archives of Openbsd-misc
or Openbsd-PF.
Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on
this topic either.

I suspect my mental picture of how PF and ClamAV work together may be
flawed or incomplete.
I guess I'm assuming there is a way to have PF pass information directly
to ClamAV, but perhaps some middle-ware glue is necessary.

Any pointers and/or info would be greatly appreciated by this newbie.

Thanks and best regards,

:-)

Sarah

For email, I used to run Postfix on my firewall. Postfix would scan the
mail using amavisd-new (which scanned the mail with SpamAssassin and
ClamAV) and would pass the clean mail to our internal Exchange server.
Here is a good guide on how to configure this sort of relay.

http://flakshack.com/anti-spam/wiki/index.php
You would need some sort of proxy to reassemble the files to scan with
ClamAV. PF can transparently pass traffic to squid, which I believe can
use ClamAV for scanning. I found this email on to configure PF to pass
the traffic to squid.

http://marc.info/?l=squid-users&m=120938897115089&w=2


Tim Donahue

...
You might find Wil Knolls's paper mentioned in:

http://undeadly.org/cgi?action=article&sid=20081220195047

useful background reading.

Hi Sarah,

try to make a search in ports tree for different kind of proxies:

Port: havp-0.89
Path: www/havp
Info: web proxy with antivirus filter
Maint: Giovanni Bechis <***@snb.it>
Index: www
L-deps: clamav.>=1::security/clamav
B-deps: :devel/gmake
R-deps:
Archs: any

For scanning mails there are a lot of tutorials right now...

Regards Uwe

smtp-vilter, which is in ports, does that,
smtp-vilter can add virus senders to a pf table.

If you want, you may try also http://comixwall.org/ .
It's OpenBSD based IDS-like tool to provide complex antivirus,
firewall with security, monitoring capabilities and quite nice
web-based GUI for local networks.
After some tweaks it works like a charm ;)
--
Kamil Monticolo