Re: [exim] random tcp ports for clamd?

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: W B Hacker
Dátum:  
Címzett: exim users
Tárgy: Re: [exim] random tcp ports for clamd?
B. Cook wrote:

> Hello all,
>
> we were having an issue today on one of the mail servers that we have..
> and we thought we would setup clamd on a tcp port and allow the other
> mail server to use it..
>
> Well we had some odd results..
>
> 2006-09-27 14:29:45 1GSeAD-0000Jy-DU malware acl condition: clamd:
> connection to 6.7.68.8, port 1358 failed (Connection refused)
> 2006-09-27 14:29:49 1GSeAD-0000Jz-DX malware acl condition: clamd:
> connection to 6.7.68.8, port 1601 failed (Connection refused)
> 2006-09-27 14:29:49 1GSeAH-0000K9-7g malware acl condition: clamd:
> connection to 6.7.68.8, port 1261 failed (Connection refused)
> 2006-09-27 14:29:52 1GSeAK-0000KF-RG malware acl condition: clamd:
> connection to 6.7.68.8, port 1179 failed (Connection refused)
> 2006-09-27 14:30:16 1GSeAH-0000K9-DV malware acl condition: clamd:
> connection to 6.7.68.8, port 1933 failed (Connection refused)
>
> These are machines not behind a router and are not being nat'd, we did
> have the port firewalled off (FreeBSDs PF)
>
> pass in quick inet proto tcp from 6.7.68.15/32 to ($ext_if) port { 3310
> } modulate state
>
> Exim version 4.62 #0 (FreeBSD 4.11) built 24-Jun-2006 22:35:09
> is the version of exim on this server..
>
> Is this a known problem? Or is something odd going on with that?
>
> av_scanner              = clamd:6.7.68.8 3310

>
> Is what I have defined in this server..
>
> sockstat -4 | grep 3310
> clamav   clamd      90696 5  tcp4   6.7.68.8:3310       *:*

>
> Any ideas?
>


Not a 'problem' - not at heart anyway.

Most daemons who 'seek' to connect with services do so on more-or-less randomly
selected ports above 1024. 'root' own the lower ones, and won't allow non-root
euid's to have 'em.

It is only the *target* port that is fixed. Tat by service 'convention', suh as
25 for smtp, or by your own setting. You can put an httpd on 25 if you are
eccentric enough.

I believe you already know that ...

Now - when setting up firewall rules you have to expect that, so allow 'from any'.

..and that also...

(for the benfit of others who may not...)

So there is a non-obvious (to me) glitch in your ruleset.

May just need simplification w/r the conditional test.

The equivalent IPFW rule would be simpler (grant, perhaps less powerful/elegant,
but..)

Likewise, I have never looked to see if ClamAV uses (exclusively) TCP, or if it
needs UDP, ICMP or such sputniks as well.....

Says he who uses exclusively sockets, *never* IP for SA, PG, ClamAV, *AND8 is
still using IPFW 'coz it is familiar...

;-)

(OK - hard to share with another box.......)

Bill