Creating Firewall Rules for Freshclam
Server - Firewall

 

Many Linux mail servers use clamav to scan for viruses. This application is dependable and has a history of updating virus rules quickly as new viruses are discovered. One of the major aspects of using any anti-virus program is to update the virus signatures at a regular interval, often hourly. clamav using a program called freshclam to update the signatures. This application placed in a cronjob will perform the updates on a regular basis as it will access a repository that provides the updates.

 

Creating firewall rules to allow access to the repository of course is an important step in providing the updates. Here is a rule set you can use to place on the mail server in order to gain regular access to the repository.

 

The first step to this process is to either check the logs (/var/log/clamav/freshclam.log) or to initiate the command freshclam to find the repository IPs that will be accessed. Here is an example of failed connections in the log, note the IP Address of the repository.

 

Trying host db.local.clamav.net (64.22.33.90)...

connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out

Can't connect to port 80 of host db.local.clamav.net (IP: 64.22.33.90)

Trying host db.local.clamav.net (207.57.106.31)...

connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out

Can't connect to port 80 of host db.local.clamav.net (IP: 207.57.106.31)

 

 

Once you have the IP Address you need to create 4 iptables rules.

 

iptables -A OUTPUT -p tcp --sport 1024:65535 -d 64.22.33.90 --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --sport 80 -s 64.22.33.90 --dport 1024:65535 -j ACCEPT

iptables -A INPUT -p tcp --sport 80 -d 64.22.33.90 --dport 1024:65535 -j ACCEPT

iptables -A OUTPUT -p tcp --sport 80 -d 64.22.33.90 --dport 1024:65535 -j ACCEPT

 

 

Verify that access is available by running the command freshclam. Of course, you may want to enter several repositories as backups.