Re: [clamav-users] Freshclam updates through a firewall

Fri, 11 Oct 2013 13:46:00 -0700 

On Fri, 2013-10-11 at 12:57 -0700, Al Varnell wrote:
> I believe the network guru for Sourcefire/ClamAV® is still Ryan Steinmetz 
> <[email protected]>.
> 
> On Oct 11, 2013, at 12:33 PM, Michael Mather <[email protected]> 
> wrote:
> > I want freshclam to get its updates through a firewall, and I want just
> > a few specific IP addresses open for this purpose.
> > 
> > Being in Canada, I propose to code the following lines in
> > freshclam.conf:
> > 
> >     DatabaseMirror  24.215.0.24
> >     DatabaseMirror  208.70.244.158
> > 
> > and open those addresses on the firewall.
> > 
> > Q1: Is that good, or should I have more addresses?
> 
> Looks like you are missing at least a couple:
> 
> $ host db.ca.clamav.net
> db.ca.clamav.net has address 208.70.244.158
> db.ca.clamav.net has address 24.215.0.24
> db.ca.clamav.net has address 128.177.8.248
> db.ca.clamav.net has address 200.236.31.1
> 
> Not sure how it works in Canada, but in the US the list is in constant 
> rotation with six out of seventeen IP's being used at any one time, some 
> being off-shore since there isn't enough capacity from US mirrors.

I would not like to have 17 IPs opened in the firewall. 
Maybe Canada just has the four.

I left out the other two because they are not in Canada (NY & Brazil),
but your explanation is useful. I will put them back in.

In fact, I now think the config file should have
        DatabaseMirror db.ca.clamav.net
and the firewall should have those four IPs open.

But that still leaves a question with:
        DatabaseMirror database.clamav.net

> > Q2: How can I anticipate either of those addresses no longer being a
> > mirror, so that I can make changes?
> 
> I think you'd need an in with the mirror administrator.  I've never seen any 
> traffic on what goes on behind the scenes with the 119 sites in 44 regions 
> other than <http://www.clamav.net/mirrors.html> and even that isn't always 
> completely up-to-date.

I would rather have something automatic than rely on an administrator
remembering to do a favour at some future date.

> > Q3: What to do about the line:
> >     DNSDatabaseInfo  current.cvd.clamav.net
> 
> Open port 53/tcp.

Well, if I open that with no destination address mentioned, that is the
huge hole I am trying to avoid.

> -Al-


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Reply via email to