On Oct 11, 2013, at 1:44 PM, Michael Mather <[email protected]> wrote: > On Fri, 2013-10-11 at 12:57 -0700, Al Varnell wrote: >> I believe the network guru for Sourcefire/ClamAV® is still Ryan Steinmetz >> <[email protected]>. >> >> On Oct 11, 2013, at 12:33 PM, Michael Mather <[email protected]> >> wrote: >>> I want freshclam to get its updates through a firewall, and I want just >>> a few specific IP addresses open for this purpose. >>> >>> Being in Canada, I propose to code the following lines in >>> freshclam.conf: >>> >>> DatabaseMirror 24.215.0.24 >>> DatabaseMirror 208.70.244.158 >>> >>> and open those addresses on the firewall. >>> >>> Q1: Is that good, or should I have more addresses? >> >> Looks like you are missing at least a couple: >> >> $ host db.ca.clamav.net >> db.ca.clamav.net has address 208.70.244.158 >> db.ca.clamav.net has address 24.215.0.24 >> db.ca.clamav.net has address 128.177.8.248 >> db.ca.clamav.net has address 200.236.31.1 >> >> Not sure how it works in Canada, but in the US the list is in constant >> rotation with six out of seventeen IP's being used at any one time, some >> being off-shore since there isn't enough capacity from US mirrors. > > I would not like to have 17 IPs opened in the firewall. > Maybe Canada just has the four. > > I left out the other two because they are not in Canada (NY & Brazil), > but your explanation is useful. I will put them back in. > > In fact, I now think the config file should have > DatabaseMirror db.ca.clamav.net > and the firewall should have those four IPs open. > > But that still leaves a question with: > DatabaseMirror database.clamav.net
database.clamav.net is an alias for db.local.clamav.net. db.local.clamav.net is an alias for db.ca.clamav.net. >>> Q2: How can I anticipate either of those addresses no longer being a >>> mirror, so that I can make changes? >> >> I think you'd need an in with the mirror administrator. I've never seen any >> traffic on what goes on behind the scenes with the 119 sites in 44 regions >> other than <http://www.clamav.net/mirrors.html> and even that isn't always >> completely up-to-date. > > I would rather have something automatic than rely on an administrator > remembering to do a favour at some future date. > >>> Q3: What to do about the line: >>> DNSDatabaseInfo current.cvd.clamav.net >> >> Open port 53/tcp. > > Well, if I open that with no destination address mentioned, that is the > huge hole I am trying to avoid. The destination is whatever DNS you or your ISP uses, which should already be open. All that is required is to query "host -t txt current.cvd.clamav.net" to find out what the latest version numbers are. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
