B. Cook wrote:
> Hello all,
>
> we were having an issue today on one of the mail servers that we have..
> and we thought we would setup clamd on a tcp port and allow the other
> mail server to use it..
>
> Well we had some odd results..
>
> 2006-09-27 14:29:45 1GSeAD-0000Jy-DU malware acl condition: clamd:
> connection to 6.7.68.8, port 1358 failed (Connection refused)
> 2006-09-27 14:29:49 1GSeAD-0000Jz-DX malware acl condition: clamd:
> connection to 6.7.68.8, port 1601 failed (Connection refused)
> 2006-09-27 14:29:49 1GSeAH-0000K9-7g malware acl condition: clamd:
> connection to 6.7.68.8, port 1261 failed (Connection refused)
> 2006-09-27 14:29:52 1GSeAK-0000KF-RG malware acl condition: clamd:
> connection to 6.7.68.8, port 1179 failed (Connection refused)
> 2006-09-27 14:30:16 1GSeAH-0000K9-DV malware acl condition: clamd:
> connection to 6.7.68.8, port 1933 failed (Connection refused)
>
> These are machines not behind a router and are not being nat'd, we did
> have the port firewalled off (FreeBSDs PF)
>
> pass in quick inet proto tcp from 6.7.68.15/32 to ($ext_if) port { 3310
> } modulate state
>
> Exim version 4.62 #0 (FreeBSD 4.11) built 24-Jun-2006 22:35:09
> is the version of exim on this server..
>
> Is this a known problem? Or is something odd going on with that?
>
> av_scanner = clamd:6.7.68.8 3310
>
> Is what I have defined in this server..
>
> sockstat -4 | grep 3310
> clamav clamd 90696 5 tcp4 6.7.68.8:3310 *:*
>
> Any ideas?
>
Not a 'problem' - not at heart anyway.
Most daemons who 'seek' to connect with services do so on more-or-less randomly
selected ports above 1024. 'root' own the lower ones, and won't allow non-root
euid's to have 'em.
It is only the *target* port that is fixed. Tat by service 'convention', suh as
25 for smtp, or by your own setting. You can put an httpd on 25 if you are
eccentric enough.
I believe you already know that ...
Now - when setting up firewall rules you have to expect that, so allow 'from any'.
..and that also...
(for the benfit of others who may not...)
So there is a non-obvious (to me) glitch in your ruleset.
May just need simplification w/r the conditional test.
The equivalent IPFW rule would be simpler (grant, perhaps less powerful/elegant,
but..)
Likewise, I have never looked to see if ClamAV uses (exclusively) TCP, or if it
needs UDP, ICMP or such sputniks as well.....
Says he who uses exclusively sockets, *never* IP for SA, PG, ClamAV, *AND8 is
still using IPFW 'coz it is familiar...
;-)
(OK - hard to share with another box.......)
Bill
