How might I keep up to date on the *specific* IP addresses at Cloudflare for
ClamAV database updates? They seem to change now and then.
I use ClamAV for email scanning, but I have my firewall (iptables) set up to
block outbound off-LAN TCP from my local Dovecot server machine with special
exceptions for the ClamAV-DB Cloudflare IPs on port 443. (In other words,
defense in depth.)
I just discovered that the old IPs I was allowing stopped working a while ago.
Now I see two "new" IPs that were being tried but blocked by my firewall.
If I 'dig', I get:
$ dig database.clamav.net
;database.clamav.net. IN A
database.clamav.net. 60 IN CNAME
database.clamav.net.cdn.cloudflare.net.
database.clamav.net.cdn.cloudflare.net. 300 IN A 104.18.203.90
database.clamav.net.cdn.cloudflare.net. 300 IN A 104.17.196.15
suggesting that the IP addresses have a TTL of only 5 minutes! This would seem
to make it impractical to update my firewall rules often enough. (Also, if I do
repeated digs on this URL, I see the TTL counting down -- and then recycling!
Very strange.)
I suppose I could permit outbound TCP (port 443) to 104.17.0.0/16,
104.18.0.0/16 etc., but who knows what potentially dangerous stuff might be
hosted on those subnets, compromising defense in depth. And what other subnets
might be needed (the old one was 104.16.0.0/16, after all).
So maybe my best bet would be to allow the two current IPs and monitor the log
files more carefully. After all, the previous two IPs (104.16.218.84 and
104.16.219.84) worked for quite a long time.
Any thoughts?
Thanks
Paul Kosinski
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
