In this section
•Configuring Redirection of Connections
|
This option is available only in the product distributions for GNU/Linux OSs. |
To protect a web server that is running on the same host on which Dr.Web for UNIX Internet Gateways is installed, you need enable scanning all the traffic coming to the server by the SpIDer Gate monitor.
Configuring Redirection of Connections
To configure the web server protection, change several parameter values in the configuration file, in the section with the settings for Dr.Web Firewall for Linux (section[LinuxFirewall]):
Parameter |
Required value |
|---|---|
InspectHttp |
On |
AutoconfigureIptables |
Yes |
AutoconfigureRouting |
Yes |
LocalDeliveryMark |
Auto |
ClientPacketsMark |
Auto |
ServerPacketsMark |
Auto |
TproxyListenAddress |
127.0.0.1:0 If a special IP address or port are used for the Dr.Web Firewall for Linux operation, specify them here |
InputDivertEnable |
Yes |
InputDivertNfqueueNumber |
Auto |
InputDivertConnectTransparently |
Yes |
To view and to change the settings of Dr.Web Firewall for Linux, you can use the following means.
•The command-line-based management tool—Dr.Web Ctl (use the drweb-ctl cfshow and drweb-ctl cfset commands).
For example, the following command:
# drweb-ctl cfset LinuxFirewall.InputDivertEnable Yes |
will configure Dr.Web Firewall for Linux so that the the incoming data be scanned by SpiDer Gate if the HTTP protocol is used and the InspectHttp parameter value is set to On.
•The management web interface of Dr.Web for UNIX Internet Gateways (by default, you can access it via a web browser at https://127.0.0.1:4443/).
To scan data transferred via HTTPS protocol, additionally do the following:
•Enable scanning of the traffic transmitted via SSL/TLS by indicating the value of the corresponding parameter by executing the command:
# drweb-ctl cfset LinuxFirewall.UnwrapSsl Yes |
It is recommended that the command cfset of the tool drweb-ctl or management web interface is used, because in this case the scanning rules will change automatically. They depend on this parameter.
•Export a certificate, which will be used by Dr.Web for UNIX Internet Gateways for integration into the protected SSL/TLS channels by executing the command :
$ drweb-ctl certificate > <cert_name>.pem |
It is necessary to indicate the name of the file used for saving the certificate in the PEM format.
•Add an obtained certificate to the system list of trusted certificates and, possible, write it as the trusted certificate for web clients (browsers) and the web server. For details, see Appendix E. Generating SSL certificates section.
Specify the following parameters in the LinuxFirewall section of the configuration file:
1.Parameters of scanning of transferred data (ScanTimeout, HeuristicAnalysis, PackerMaxLevel, ArchiveMaxLevel, MailMaxLevel, ContainerMaxLevel, MaxCompressionRatio) that limit the length and resource intensity of their scanning. When a fine-grained configuration is not required, it is recommended that values for parameter data are kept in their default state.
2.The Block* parameters for blocking unwanted URLs and content.
3.The BlockUnchecked parameter to specify the actions of the SpIDer Gate in case the received data cannot be scanned.
For a more detailed configuration of filterng rules edit the Lua procedure or the RuleSet rules.
After all settings are adjusted, restart Dr.Web for UNIX Internet Gateways with the following command:
# drweb-ctl reload |
You can also restart the configuration daemon Dr.Web ConfigD with the following command:
# service drweb-configd restart |