Back to the original issue. I still say having firewalls from higher security zones to lower ones, does not make sense. Security is only valid when it is INBOUND. Outbound security is no security at all, just a pain for your users.
Any sysadmin who thinks they are able to fathom all the user will do, or worse, think that all the user does is screw up, really is no sysadmin at all. There just a hack with a big ego. Machines like people are users too. To hamper a high security server, not to gain access to the outside on some port (especially for updates), is hampering that server, not improving security, without its updates it actually less secure, then having a single binary based port open to the some less secure facility. I can not imagine (and I think this is the point of the chain) a situation in which a servers would not have OUTBOUND access on 443 (ESTABLISHED INBOUND), which is functioning as a anti virus. After all, how do you update your client boxes, even a deployment server has to be able to pull updates? I'm fascinated, because I can not imagine how this is all setup, which would cause such a unique situation. > Date: Wed, 19 May 2010 15:22:04 -0400 > From: nat...@cmpublishers.com > To: clamav-users@lists.clamav.net > Subject: Re: [Clamav-users] Tiered freshclam updates on port443 > > * Matus UHLAR - fantomas wrote: > >> * Matus UHLAR - fantomas wrote: > >>> Why? is there an aggresive firewall on the machine? Or is the machine > >>> maintained by a moron? > > > > On 14.05.10 14:50, Nathan Gibbs wrote: > >> Blah, Blah, Bl;ah. > > > > I have asked why it's impossible. > > True. > > > Having moron sysadmin is one of possibilities. > > Also, "could be" true, but that possibility doesn't necessarily need to be > stated. > I'd guess that most of those on this ML are sysadmins, and very smart people. > However, each person's idea of what the "Right Thing" is, in a given > situation, will be different. Even if there is agreement on "what", there > will be disagreement on "how". In summary, just because someone here sees it > differently, or disagrees with me, they are NOT a moron. I would be the moron > for calling or implying that they where, and vise versa. > > > You have apparently chosen this one. > > > >> Blah, Blah, Blah > > > > I haven't called anyone a moron yet, but you have apparently applied to > > this. You could better answer my question first. > > > > That would be pointless as they are Eddie's hosts not mine. > > -- > Sincerely, > > Nathan Gibbs > > Systems Administrator > Christ Media > http://www.cmpublishers.com > > _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml