I would have to agree with Henrik here. Not to allow established connection from a higher level security zone to a lesser one, seem to be more a design issue, than, that of clam implementation issue. The idea of zones should be to guard inbound, no hamper user outbound.
It's true you can skin a cat a million ways, but some of those ways are simply cruel, time consuming, and of little relevance to the objective. If there is a router acting as a firewall (PIX or Cisco 2621, etc...) the a simple ACL seems a much more robust solution. Of course the likely hood you are using internal IP address is high, which means you will need to NAT from that segment, which you most likely do because you need to have internet. If the firewall is on the machine, then a simple allow statement to the right chain in the iptables will achieve the same thing (windows has the same level of security via a GUI). In either case, the "hack" would be to figure it out on your network, not request bloatware that will be used in very few situations, given the complexity (thus insecurity) it introduces. (IMHO) Frankly my objection is a bit personal too. I hate the fact that everyone and everything is becoming HTTP. It is one single silly port of a possible 60,000 +, and its protocol was designed to centralize documentation. It has now become the default port AND PROTOCOL for everything. This beyond ridiculous! Since now everyone knows where to focus there attacks! The best way to protect data is to keep it binary and OFF port 80 or 443. This time in my IMNSHO :oP > Date: Sun, 16 May 2010 09:29:57 +0300 > From: h...@hege.li > To: clamav-users@lists.clamav.net > Subject: Re: [Clamav-users] Tiered freshclam updates on port443 > > On Fri, May 14, 2010 at 06:34:33PM -0400, Nathan Gibbs wrote: > > > > At our site, the "update server" hosts clamav DBs, snort rules, some conf > > files, etc. The ability to protect the other data would be a plus. It > > would > > add another layer of defense to our setup. However its not workable if > > Freshclam cannot speak https. Its redundant as far as ClamAV's data > > integrity > > goes. However, I think its worth doing as far as "hack value" and > > interoperability go. > > Using https sounds silly in favor of more robust methods like rsync+ssh. I > certainly would trust rsyncing a verified set of signatures more than using > freshclam code which has had bugs in past. > > -1 for adding yet another external library dependency for little purpose. > > As far as the original poster goes, I don't think https protocol was the > issue, only TCP port. Such human generated firewall "problems" are solvable > in many ways if desired and IMHO has nothing to do with ClamAV. > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml _________________________________________________________________ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
