■Fortigate-80Cでポート転送(NAT)を設定してみる。
wan1をスタティックで設定するよう修正した。
https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/fortigate-80c_basic.sh
■自宅評価用のセグメントなので、サブネットマスクが/24で無い点に注意。
config system interface
edit "wan1"
set vdom "root"
set ip 192.168.1.252 255.255.255.248
set allowaccess ping
set type physical
set snmp-index 2
next
end
config system interface
edit "internal"
set vdom "root"
set ip 172.31.31.252 255.255.255.0
set allowaccess ping https ssh http telnet
set type physical
set snmp-index 1
next
end
■AV、スパムチェックの有効なライセンス契約があることを前提に。
antispam-license : Contract
avquery-license : Contract
webfilter-license : Contract
■Webサービスの場合
wan1(80/tcp) -> internal(80/tcp)
set ip 192.168.1.252 255.255.255.248
set ip 172.31.31.252 255.255.255.0
■まずはfirewallオブジェクトにバーチャルIP(IPv4)を設定
config firewall vip
edit "Web-NAT"
set extip 192.168.1.252
set extintf "wan1"
set portforward enable
set mappedip 172.31.31.254
set extport 80
set mappedport 80
next
■上記のwan1(80/tcp) -> internal(80/tcp)のアクセスの時に、
仮想IPにNAT有効で許可するポリシーを作成。
IPS、AVを有効にする。
config firewall policy
edit 2
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "Web-NAT"
set action accept
set schedule "always"
set service "HTTP"
set utm-status enable
set av-profile "AV-flow"
set ips-sensor "default"
set profile-protocol-options "default"
set nat enable
set fixedport enable
next
end
■受け側のdebianは172.31.31.254で待ち受け。
$ netstat -an | grep 172.31.*80
tcp 0 0 172.31.31.254:80 0.0.0.0:* LISTEN
■アクセスチェック
$ telnet 192.168.1.252 80
Trying 192.168.1.252...
Connected to 192.168.1.252.
Escape character is '^]'.
GET / HTPP/1.0
HTTP/1.1 200 OK
Date: Sun, 22 Feb 2015 13:05:08 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sun, 30 Dec 2012 02:34:54 GMT
ETag: "2a60e7-b1-4d208bde02f80"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
Connection closed by foreign host.
■自前の非公開Webサーバなので、eicar.txtを置いてFortigate経由でブロックされていることを確認。
$ w3m -no-proxy -dump http://localhost/eicar.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
$ w3m -no-proxy -dump http://192.168.1.252/eicar.txt
■MailのNATもついでに。
こちらはメールなので、AV、IPSの他にSpamチェックも行う。
config firewall vip
edit "Mail-NAT"
set extip 192.168.1.252
set extintf "wan1"
set portforward enable
set mappedip 172.31.31.254
set extport 25
set mappedport 25
next
end
config firewall policy
edit 3
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "Mail-NAT"
set action accept
set schedule "always"
set service "SMTP"
set utm-status enable
set av-profile "AV-flow"
set spamfilter-profile "default"
set ips-sensor "default"
set profile-protocol-options "default"
set nat enable
set fixedport enable
next
end
■スパムフィルタは判定基準が分からないので、
破棄では無く、[Spam]とつけることにする。
※デフォルトでのタグはSpamでsmtpのアクションは破棄。
config spamfilter profile
edit "default"
set comment "malware and phishing URL filtering"
set spam-filtering enable
set options spamfsip spamhelodns spamraddrdns
config imap
set tag-msg "[Spam]"
end
config pop3
set tag-msg "[Spam]"
end
config smtp
set action tag
set tag-msg "[Spam]"
end
next
end
■確認
$ telnet 192.168.1.252 25
Trying 192.168.1.252...
Connected to 192.168.1.252.
Escape character is '^]'.
220 myhome.local ESMTP Postfix (Debian/GNU)
ehlo localhost
250-myhome.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:labunix
250 2.1.0 Ok
rcpt to:labunix
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Test Mail
sample
.
250 2.0.0 Ok: queued as 3B4F32924B7
quit
221 2.0.0 Bye
Connection closed by foreign host.
■ClamAVとSpamAssassinのヘッダしか無い。。。
Message 5:
From labunix@myhome.local Sun Feb 22 22:23:48 2015
X-Original-To: labunix@myhome.local
X-Quarantine-ID: <ajIGjUyzRCxG>
X-Virus-Scanned: Debian amavisd-new at myhome.local
X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
X-Spam-Flag: NO
X-Spam-Score: 4.56
X-Spam-Level: ****
X-Spam-Status: No, score=4.56 tagged_above=2 required=6.31
tests=[ALL_TRUSTED=-1, DNS_FROM_AHBL_RHSBL=2.438, MISSING_DATE=1.396,
MISSING_HEADERS=1.207, MISSING_MID=0.14, NO_DNS_FOR_FROM=0.379]
autolearn=no
Subject: Test Mail
sample
■次の設定をすればpostmaster宛に下記件名のメールが来るので動作はしているものとする。
「Subject: Considered UNSOLICITED BULK EMAIL, apparently from you」
config spamfilter bwl
edit 1
set name "labunix@myhome.local"
next
end
set options spambwl spamfsip spamfssubmit spamfschksum spamfsurl spamhelodns spamraddrdns spamfsphish
set spam-bwl-table 1