On 7/30/25 10:05 AM, Paul Kosinski via clamav-users wrote:
This would seem to make it impractical to update my firewall rules often enough.
What if you incorporate the firewall update into your ClamAV process? Is that possible?
E.g. get a fresh (set of) IP(s), update your firewall, update ClamAV.I'd suggest that you leverage ipset and / or recent iptables match extensions as they allow you to update very specific things without doing an iptables update which is a much larger atomic process.
If your firewall is on a different machine, then I wonder if you could leverage something like port knocking in the reverse direction. If your firewall sees your ClamAV system send packets to a specific sequence of ports to a destination IP, then allow the client to access the destination on port 443 for five or so minutes.
Come to think of it, you could even do the reverse port knock on the same system in that the ClamAV user wouldn't need any permission to modify the firewall in any capacity.
I get why you've done what you've done. I tip my hat to you. I've not yet gone there.
Another option if the firewall is on the ClamAV system is to use an iptables match extension to match based on the user the connection is coming from. As in allow the user updating ClamAV to initiate outbound connections to TCP port 443 while still blocking other users.
-- Grant. . . .
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
