Re: [clamav-users] [OT] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[Paul Kosinski via clamav-users]

On Thu, 29 Jul 2021 23:33:02 +0100 (BST)
"G.W. Haywood via clamav-users"  wrote:

> Hi there,
> 
> On Thu, 29 Jul 2021, Paul Kosinski via clamav-users wrote:
> 
> > ... do any firewall distros address inter-LAN filtering?  
> 
> We're well off-topic here so I think we should stop this now, but I
> thought most of them do.  What you describe is what I think they
> usually call a 'DMZ', very often 'ORANGE', where the LAN is 'GREEN'
> and the public Internet 'RED'.

As I understand it, a DMZ is usually where servers sit, to be accessed *from* 
the Internet; thus must allow inbound TCP connections. What I'm talking about 
is where client computers that are not fully trusted sit: running closed source 
Linux code (e.g., for DRM-ed movies) which might try probing nearby computers 
on the same LAN.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [OT] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 29 Jul 2021, Paul Kosinski via clamav-users wrote:


... do any firewall distros address inter-LAN filtering?


We're well off-topic here so I think we should stop this now, but I
thought most of them do.  What you describe is what I think they
usually call a 'DMZ', very often 'ORANGE', where the LAN is 'GREEN'
and the public Internet 'RED'.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [OT] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[Gene Heskett via clamav-users]

On Thursday 29 July 2021 14:45:28 G.W. Haywood via clamav-users wrote:

> Hi there,
>
> On Thu, 29 Jul 2021, Paul Kosinski via clamav-users wrote:
> > My current firewall, which also does inter-LAN routing with iptables
> > filtering, has six (6) gigabit Ethernet ports on it (including one
> > 4-port Intel card in a PCIe-x4 slot). Which model Raspberry Pi
> > should I use?
>
> From my experience I would say avoid the 4B if you value stability.

>From here, and I'm running a linuxcnc buildbot on my 2gig 4b, all it 
needs is adequate cooling, in my case the 4 little bitty heat sinks AND 
a stolen 12 volt video card fan running on 5 volts blowing rather 
leasurely on them.  And it runs from power outage to power outage, which 
I have to create by shutting off the power strip its running on as I 
have a standby that starts in about 4 seconds, and its on a 650 WA UPS 
with a 2 minute shutdown I can't change.

It just works. For months and months.

> You'd probably want to use USB-Ethernet adaptors.  You could have more
> or less as many as you like.  I'm using Ethernet over USB with several
> little Pi Zeros.  No actual physical Ethernet hardware, but a network
> stack etc. in the applications.  The Zero has no Ethernet port at all
> but some of the things we're running on them expect you to have one.
> You can comfortably watch movies on the Pi Zero.  It's amazing such a
> tiny thing can do that, at least it is when you're as old as I am and
> the first CPU youactually handled was a 1MHz (ONE MegaHertz) Motorola
> 6800, and you had to wear ear defenders for programming it via ASR33.
>
> Without knowing more about the performance you'd need I couldn't say
> whether one Pi or another would do the job, but unless you're a very
> heavy user of bandwidth I'd be surprised if you'd stress the quad core
> 1.4 GHz CPU of a Pi 3B+ in a firewall just filtering packets.  To be
> honest, the few times that I've run CPU stats on my firewalls, the CPU
> usage has been so low that it hasn't really made an impression.  I've
> just checked our perimeter firewall, CPU is hovering about 99.6% idle.
> As I said this isn't a Pi, it's an ALIX board which is a single-core,
> 32 bit AMD 'Geode' at 500MHz.  Never seen one crash.
>
> Straying back somewhere near the topic, I think you'd need the Pi4B
> with probably 4G of RAM to run clamd or clamscan.  I run clamd on one
> but that's all it does.  It crashes occasionally, last time was 6.5
> days ago.  My money's on power supply problems.  I don't think it's
> temperature related, it was running at about 65C when it crashed last,
> it redlines at 85C.  It's supposed to throttle itself when it gets up
> there but I haven't any done real stress testing like I have with some
> other devices.  Most of our 4Bs are in at least 50% glazed offices and
> despite being in England it can get very warm in there sometimes.  In
> summer they're often operating in the 70s without any trouble.  We fit
> the CPUs with heat sinks, but no fan.
>
> You might be able to run a local ClamAV mirror with only a Pi 3B+ with
> its roughly 850M available RAM - I'll give that a try someday.


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [OT] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[Paul Kosinski via clamav-users]

On Wed, 28 Jul 2021 12:53:38 +0100 (BST)
"G.W. Haywood via clamav-users"  wrote:

> I'd recommend not using any big distro for your perimiter firewall.
> I use one of the purpose-built stripped-down firewall distributions.

"..our home firewall and gateway -- with iptables, multi-LAN routing (with 
local DNS), a bit of bridging, encrypted tunnels to elsewhere, etc."
I forgot to mention that it also logs to disk all Internet traffic, which is 
handy for occasional historical analysis of events via Wireshark. As far as 
being stripped down goes, the firewall/gatewaay has no X-windows stuff at all 
installed.

I think stripped-down distros are often too focused. And from what I've seen of 
some common firewalls, they're too simple-minded (e.g. firewalld), perhaps 
aimed at people who are terrified of the command line. (I personally found the 
CLI to be a great improvement over punched cards, just as the GUI is a 
wonderful improvement for many -- but not all -- tasks.) Also, Debian, being a 
major distro which is the basis for Ubuntu and others, has long been very 
reliable in providing security and bug fixes. How many smaller distros are as 
future-proof?

Finally, do any firewall distros address inter-LAN filtering? We have two major 
LANs, Black and Red. Black is the trusted LAN, while Red is for Internet TV 
etc. (on physically separate computers, of course). Red can access the Internet 
but is not allowed access to Black. Black has limited access to Red (for SSH, 
VNC and the like). Both are firewalled from the Internet (with Red a bit less 
so).


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [OT] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 29 Jul 2021, Paul Kosinski via clamav-users wrote:


My current firewall, which also does inter-LAN routing with iptables
filtering, has six (6) gigabit Ethernet ports on it (including one
4-port Intel card in a PCIe-x4 slot). Which model Raspberry Pi
should I use?



From my experience I would say avoid the 4B if you value stability.


You'd probably want to use USB-Ethernet adaptors.  You could have more
or less as many as you like.  I'm using Ethernet over USB with several
little Pi Zeros.  No actual physical Ethernet hardware, but a network
stack etc. in the applications.  The Zero has no Ethernet port at all
but some of the things we're running on them expect you to have one.
You can comfortably watch movies on the Pi Zero.  It's amazing such a
tiny thing can do that, at least it is when you're as old as I am and
the first CPU youactually handled was a 1MHz (ONE MegaHertz) Motorola
6800, and you had to wear ear defenders for programming it via ASR33.

Without knowing more about the performance you'd need I couldn't say
whether one Pi or another would do the job, but unless you're a very
heavy user of bandwidth I'd be surprised if you'd stress the quad core
1.4 GHz CPU of a Pi 3B+ in a firewall just filtering packets.  To be
honest, the few times that I've run CPU stats on my firewalls, the CPU
usage has been so low that it hasn't really made an impression.  I've
just checked our perimeter firewall, CPU is hovering about 99.6% idle.
As I said this isn't a Pi, it's an ALIX board which is a single-core,
32 bit AMD 'Geode' at 500MHz.  Never seen one crash.

Straying back somewhere near the topic, I think you'd need the Pi4B
with probably 4G of RAM to run clamd or clamscan.  I run clamd on one
but that's all it does.  It crashes occasionally, last time was 6.5
days ago.  My money's on power supply problems.  I don't think it's
temperature related, it was running at about 65C when it crashed last,
it redlines at 85C.  It's supposed to throttle itself when it gets up
there but I haven't any done real stress testing like I have with some
other devices.  Most of our 4Bs are in at least 50% glazed offices and
despite being in England it can get very warm in there sometimes.  In
summer they're often operating in the 70s without any trouble.  We fit
the CPUs with heat sinks, but no fan.

You might be able to run a local ClamAV mirror with only a Pi 3B+ with
its roughly 850M available RAM - I'll give that a try someday.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [OT] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[Paul Kosinski via clamav-users]

On Wed, 28 Jul 2021 23:31:05 +1000
"Gary R. Schmidt"  wrote:

> I second what Ged is saying here, for firewalls and so on the Raspberry 
> Pi and its ilk are a much better choice than a full-on system, they use 
> /much/ less power, and keeping a spare or three isn't a board- (or 
> wife-) level budget request.  :-)

My current firewall, which also does inter-LAN routing with iptables filtering, 
has six (6) gigabit Ethernet ports on it (including one 4-port Intel card in a 
PCIe-x4 slot). Which model Raspberry Pi should I use?

P.S. I could make do with 5 ports, as my second WAN (a static IP, but slow, 
DSL) was discontinued in late 2019.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [OT] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[Gary R. Schmidt]

On 28/07/2021 21:53, G.W. Haywood via clamav-users wrote:

Hi Paul,

On Wed, 28 Jul 2021, Paul Kosinski via clamav-users wrote:


In my case, I can't simply upgrade to the latest Debian (or any
other distro), as one of the systems is our home firewall and
gateway -- with iptables, multi-LAN routing (with local DNS), a bit
of bridging, encrypted tunnels to elsewhere, etc. This means we
would lose *all* Internet connectivity for who knows how long if I
tried an in-place upgrade.


I'd recommend not using any big distro for your perimiter firewall.
I use one of the purpose-built stripped-down firewall distributions.
The maintenance needed on it is minimal, and it doesn't prevent you
from having firewalls on other machines too.  To get to *any* of our
servers from outside, packets must traverse at least three firewalls.


So the only way to move forward seems to be to rebuild our system on
separate hardware. I have started this on hardware I already mainly
have (being retired, and thus without corporate budget or staff).


One of the slightly unexpected benefits of using things like the
Raspberry Pi is that you can have a few of them kicking around which
are surplus to requirements and just fire one up as and when needed.


I second what Ged is saying here, for firewalls and so on the Raspberry 
Pi and its ilk are a much better choice than a full-on system, they use 
/much/ less power, and keeping a spare or three isn't a board- (or 
wife-) level budget request.  :-)


I still like a full-on machine for handling email, but that's because I 
run Panda-IMAP, which is probably the closest thing to a "reference" 
IMAP implementation we will ever see, and I can do far more clever 
things with disks and SANs when needed.


Cheers,
GaryB-)

P.S.  Yes, I know I said good-bye, but I am interested in the fall-out 
of the recent decisions made about ClamAV.  (And I like to laugh at the, 
"I haven't been able to download...", posts.  :-) )


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [OT] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[G.W. Haywood via clamav-users]

Hi Paul,

On Wed, 28 Jul 2021, Paul Kosinski via clamav-users wrote:


In my case, I can't simply upgrade to the latest Debian (or any
other distro), as one of the systems is our home firewall and
gateway -- with iptables, multi-LAN routing (with local DNS), a bit
of bridging, encrypted tunnels to elsewhere, etc. This means we
would lose *all* Internet connectivity for who knows how long if I
tried an in-place upgrade.


I'd recommend not using any big distro for your perimiter firewall.
I use one of the purpose-built stripped-down firewall distributions.
The maintenance needed on it is minimal, and it doesn't prevent you
from having firewalls on other machines too.  To get to *any* of our
servers from outside, packets must traverse at least three firewalls.


So the only way to move forward seems to be to rebuild our system on
separate hardware. I have started this on hardware I already mainly
have (being retired, and thus without corporate budget or staff).


One of the slightly unexpected benefits of using things like the
Raspberry Pi is that you can have a few of them kicking around which
are surplus to requirements and just fire one up as and when needed.
It's really easy to image a micro-SD card, tweak a few settings and
plug it in.  I'm tempted to say that it's easier than spinning up a
virtual machine, although bad experience of the Pi4B's stability is
the main reason that we haven't moved a half-dozen VMs to Pi4Bs; we
still run a VM server.  The other Pis don't seem to have the issues
with stability that the 4B has.  That's several years of experience
using dozens of them running 24/365 for all kinds of tasks including
database, file and backup servers, intranet, mail, security including
CCTV, and of course desktop use.


Finally, building this new system is made even more difficult by the
fact that iptables has recently been replaced by nftables, whose
native syntax has been "improved" to be quite different. There is,
at least, a legacy iptables interface to it ...


Like you I've been a bit preplexed by nft.  My milters write firewall
rules on the fly, and at one time I thought I'd need to recode a few
chunks to keep up with the Netfilter developments.  After spending a
while looking into it and chatting on the netfilter mailing list with
people much more familiar with nft than I, it seems that while there
are some efficiency improvements for writing complex rulesets, if you
don't feel the need for them you can just ignore it and carry on with
what they're calling 'iptables-legacy' as if nothing's happened.  For
the foreseeable future, that's what I'll be doing.  I can write rules
with iptables in my sleep, I frequently modify rulesets 'live' on the
servers, but I don't think I could write the simplest rule with nft
and get it right first time and I wouldn't dream of doing it live on
the box without testing it first.


P.S. The last time I upgraded our firewall, from x86 to x86_64, at
least iptables was quite compatible with ipchains, and Linux as a
whole was still in the early stages of its exponential growth in
complexity.


As I understand it the underlying kernel structures and capabilities
are not changed with nftables.  Both the 'iptables' and 'nft' binaries
operate on the same structures and filtering takes place in the same
places.  So there's less incompatibility between nft and iptables than
there was between iptables and ipchains.  See for example:

https://www-uxsup.csx.cam.ac.uk/pub/doc/redhat/redhat7.3/rhl-rg-en-7.3/s1-iptables-differences.html

HTH

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml