F-Secure Internet Gatekeeper for Linux/Administrator’s Guide
116
5 Check that virus scans can be performed when a client accesses a server.
When a service accesses a server from Internet Gatekeeper, the IP address of the product is
normally assigned as the IP address of the service source. For this reason, the IP address and
routing settings must be applied to the Internet Gatekeeper server.
For FTP data sessions, in Passive mode, the destination address from the client and the source
address from Internet Gatekeeper to the server are usually assigned to the address of the
product. In Active mode, the destination address from the server and the source address from the
Internet Gatekeeper to the client are usually assigned to the address of the product. If FTP
communication cannot be used, check if it is denied by a firewall.
When Internet Gatekeeper accesses a server, or when an IP address needs to be retained during
a FTP data session, the kernel needs to be patched with tproxy.
For more information, see ”
transparent_tproxy
” in the separate “
Expert options
" document.
Configure the settings so that the communication files and tasks used by the firewall settings of
Linux (iptables) are not denied.
The following communication chains must be allowed:
・
All communication by the OUTPUT chain
・
All communication by the FORWARD chain
・
Communication to the listen ports used by Internet Gatekeeper (9080, 9025, 9110,
9021) for the INPUT chain. Data session communication rules relating to FTP (if FTP is
used)
If there are communication errors, disable the firewall and check the communication status.
Reference URLs:
■
Net:Bridge – The Linux Foundation
http://www.linux-foundation.org/en/Net:Bridge
■
ebtables
http://ebtables.sourceforge.net/