Discussion:
[clamav-users] Freshclam updates through a firewall
(too old to reply)
Michael Mather
2013-10-11 19:33:22 UTC
Permalink
I want freshclam to get its updates through a firewall, and I want just
a few specific IP addresses open for this purpose.

Being in Canada, I propose to code the following lines in
freshclam.conf:

DatabaseMirror 24.215.0.24
DatabaseMirror 208.70.244.158

and open those addresses on the firewall.

Q1: Is that good, or should I have more addresses?

Q2: How can I anticipate either of those addresses no longer being a
mirror, so that I can make changes?

Q3: What to do about the line:
DNSDatabaseInfo current.cvd.clamav.net

Thanks - Michael



_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Al Varnell
2013-10-11 19:57:52 UTC
Permalink
Post by Michael Mather
I want freshclam to get its updates through a firewall, and I want just
a few specific IP addresses open for this purpose.
Being in Canada, I propose to code the following lines in
DatabaseMirror 24.215.0.24
DatabaseMirror 208.70.244.158
and open those addresses on the firewall.
Q1: Is that good, or should I have more addresses?
Looks like you are missing at least a couple:

$ host db.ca.clamav.net
db.ca.clamav.net has address 208.70.244.158
db.ca.clamav.net has address 24.215.0.24
db.ca.clamav.net has address 128.177.8.248
db.ca.clamav.net has address 200.236.31.1

Not sure how it works in Canada, but in the US the list is in constant rotation with six out of seventeen IP's being used at any one time, some being off-shore since there isn't enough capacity from US mirrors.
Post by Michael Mather
Q2: How can I anticipate either of those addresses no longer being a
mirror, so that I can make changes?
I think you'd need an in with the mirror administrator. I've never seen any traffic on what goes on behind the scenes with the 119 sites in 44 regions other than <http://www.clamav.net/mirrors.html> and even that isn't always completely up-to-date.
Post by Michael Mather
DNSDatabaseInfo current.cvd.clamav.net
Open port 53/tcp.


-Al-
--
Al Varnell
Mountain View, CA



_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Michael Mather
2013-10-11 20:44:43 UTC
Permalink
Post by Al Varnell
Post by Michael Mather
I want freshclam to get its updates through a firewall, and I want just
a few specific IP addresses open for this purpose.
Being in Canada, I propose to code the following lines in
DatabaseMirror 24.215.0.24
DatabaseMirror 208.70.244.158
and open those addresses on the firewall.
Q1: Is that good, or should I have more addresses?
$ host db.ca.clamav.net
db.ca.clamav.net has address 208.70.244.158
db.ca.clamav.net has address 24.215.0.24
db.ca.clamav.net has address 128.177.8.248
db.ca.clamav.net has address 200.236.31.1
Not sure how it works in Canada, but in the US the list is in constant rotation with six out of seventeen IP's being used at any one time, some being off-shore since there isn't enough capacity from US mirrors.
I would not like to have 17 IPs opened in the firewall.
Maybe Canada just has the four.

I left out the other two because they are not in Canada (NY & Brazil),
but your explanation is useful. I will put them back in.

In fact, I now think the config file should have
DatabaseMirror db.ca.clamav.net
and the firewall should have those four IPs open.

But that still leaves a question with:
DatabaseMirror database.clamav.net
Post by Al Varnell
Post by Michael Mather
Q2: How can I anticipate either of those addresses no longer being a
mirror, so that I can make changes?
I think you'd need an in with the mirror administrator. I've never seen any traffic on what goes on behind the scenes with the 119 sites in 44 regions other than <http://www.clamav.net/mirrors.html> and even that isn't always completely up-to-date.
I would rather have something automatic than rely on an administrator
remembering to do a favour at some future date.
Post by Al Varnell
Post by Michael Mather
DNSDatabaseInfo current.cvd.clamav.net
Open port 53/tcp.
Well, if I open that with no destination address mentioned, that is the
huge hole I am trying to avoid.
Post by Al Varnell
-Al-
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http:
Al Varnell
2013-10-11 20:53:13 UTC
Permalink
Post by Michael Mather
Post by Al Varnell
Post by Michael Mather
I want freshclam to get its updates through a firewall, and I want just
a few specific IP addresses open for this purpose.
Being in Canada, I propose to code the following lines in
DatabaseMirror 24.215.0.24
DatabaseMirror 208.70.244.158
and open those addresses on the firewall.
Q1: Is that good, or should I have more addresses?
$ host db.ca.clamav.net
db.ca.clamav.net has address 208.70.244.158
db.ca.clamav.net has address 24.215.0.24
db.ca.clamav.net has address 128.177.8.248
db.ca.clamav.net has address 200.236.31.1
Not sure how it works in Canada, but in the US the list is in constant rotation with six out of seventeen IP's being used at any one time, some being off-shore since there isn't enough capacity from US mirrors.
I would not like to have 17 IPs opened in the firewall.
Maybe Canada just has the four.
I left out the other two because they are not in Canada (NY & Brazil),
but your explanation is useful. I will put them back in.
In fact, I now think the config file should have
DatabaseMirror db.ca.clamav.net
and the firewall should have those four IPs open.
DatabaseMirror database.clamav.net
database.clamav.net is an alias for db.local.clamav.net.
db.local.clamav.net is an alias for db.ca.clamav.net.
Post by Michael Mather
Post by Al Varnell
Post by Michael Mather
Q2: How can I anticipate either of those addresses no longer being a
mirror, so that I can make changes?
I think you'd need an in with the mirror administrator. I've never seen any traffic on what goes on behind the scenes with the 119 sites in 44 regions other than <http://www.clamav.net/mirrors.html> and even that isn't always completely up-to-date.
I would rather have something automatic than rely on an administrator
remembering to do a favour at some future date.
Post by Al Varnell
Post by Michael Mather
DNSDatabaseInfo current.cvd.clamav.net
Open port 53/tcp.
Well, if I open that with no destination address mentioned, that is the
huge hole I am trying to avoid.
The destination is whatever DNS you or your ISP uses, which should already be open. All that is required is to query "host -t txt current.cvd.clamav.net" to find out what the latest version numbers are.


-Al-
--
Al Varnell
Mountain View, CA



_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Charles Swiger
2013-10-11 21:04:42 UTC
Permalink
Post by Michael Mather
I want freshclam to get its updates through a firewall, and I want just
a few specific IP addresses open for this purpose.
OK. Best way is probably to run freshclam on a DMZ host with limited but functional
network access, and then have your secure internal hosts pull updates from that box.
Post by Michael Mather
Being in Canada, I propose to code the following lines in
DatabaseMirror 24.215.0.24
DatabaseMirror 208.70.244.158
and open those addresses on the firewall.
Q1: Is that good, or should I have more addresses?
You shouldn't hardcode IPs which do not belong to you into configs.
Post by Michael Mather
Q2: How can I anticipate either of those addresses no longer being a
mirror, so that I can make changes?
One cannot, at least not without coordinating with the owner of that IP.
Post by Michael Mather
DNSDatabaseInfo current.cvd.clamav.net
Make sure DNS is working properly? For sufficiently paranoid setups, a local
caching-only DNS server acting for your internal clients is better than
permitting more open DNS access.

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
Michael Mather
2013-10-11 23:32:21 UTC
Permalink
Thanks Al and Charles for your help.
Here is what I think I have learned.

1. I will run freshclam on a DMZ host and pull updates from there.

2. On the DMZ host, I will have just one DatabaseMirror line in
freshclam.conf:
DatabaseMirror db.ca.clamav.net
and open those 4 IPs in the firewall.
(208.70.244.158, 24.215.0.24, 128.177.8.248, 200.236.31.1)

3. I will write a program which will run
host db.ca.clamav.net
occasionally and report if there is any change in those 4 IPs.
(I will have to be careful that a change in their order
does not count as a change.)
Then the firewall can be changed manually.
Until it is changed, the IPs that are still valid
will have to suffice.

4. current.cvd.clamav.net is not a familiar kind of DNS entry.
If you try host/nslookup/dig current.cvd.clamav.net,
they don't find anything.
But host -t txt current.cvd.clamav.net
returns a string which is currently
"0.98:55:17956:1381530654:1:63:41065:228"
Apparently that tells freshclam whether there is an update
available. Doing that with DNS is very clever.

5. So freshclam.conf can keep the line
DNSDatabaseInfo current.cvd.clamav.net
and nothing needs to be opened in the firewall, because

6. port 53/tcp is already open to the destination IP of our DNS server.
I knew that.

Michael


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Loading...