Thanks Al and Charles for your help.
Here is what I think I have learned.
1. I will run freshclam on a DMZ host and pull updates from there.
2. On the DMZ host, I will have just one DatabaseMirror line in
freshclam.conf:
DatabaseMirror db.ca.clamav.net
and open those 4 IPs in the firewall.
(208.70.244.158, 24.215.0.24, 128.177.8.248, 200.236.31.1)
3. I will write a program which will run
host db.ca.clamav.net
occasionally and report if there is any change in those 4 IPs.
(I will have to be careful that a change in their order
does not count as a change.)
Then the firewall can be changed manually.
Until it is changed, the IPs that are still valid
will have to suffice.
4. current.cvd.clamav.net is not a familiar kind of DNS entry.
If you try host/nslookup/dig current.cvd.clamav.net,
they don't find anything.
But host -t txt current.cvd.clamav.net
returns a string which is currently
"0.98:55:17956:1381530654:1:63:41065:228"
Apparently that tells freshclam whether there is an update
available. Doing that with DNS is very clever.
5. So freshclam.conf can keep the line
DNSDatabaseInfo current.cvd.clamav.net
and nothing needs to be opened in the firewall, because
6. port 53/tcp is already open to the destination IP of our DNS server.
I knew that.
Michael
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
