Mailing List Archive: [clamav-users] Freshclam 0.102.1 ignores "--disable-ipv6"

[clamav-users] Freshclam 0.102.1 ignores "--disable-ipv6"

Jan 6, 2020, 6:12 PM

Post #1 of 3 (289 views)

Even though I built the latest ClamAV (0.102.1) with the 'configure'
option "--disable-ipv6", freshclam tried using IPv6 addresses when it
failed to connect via IPv4 due to a firewall rule (which I now changed
to allow port 443 as well as port 80).

This rule was part of hardening our mail server a bit by blocking most
outbound connections, so I had added explicit pass-thru for the
clamav.net IPv4 addresses -- previously only port 80, now also 443.
(And I had to allow these outbound connections because my previous
attempts at local mirroring collapsed with the switch to Cloudflare:
the CVD files on the BOS Cloudflare mirror seemed to be out of date a
lot, as discussed in my previous postings).

P.S. As far as I can tell, disallowing IPv6 everywhere within, in to
and out of our small LAN, does not block anything of importance. Does
anyone know of anything on the Internet that is IPv6 *only*, and is
important enough to justify spending weeks of work rebuilding our
firewall (not to mention reconfiguring everything else)?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam 0.102.1 ignores "--disable-ipv6" [ In reply to ]

clamav-users at lists

Jan 6, 2020, 8:48 PM

Post #2 of 3 (288 views)

Permalink

I’m fairly certain this was previously discussed. Might want to check the archives.

I have not run across any site yet that is IPv6 only, but I suspect users in Asia have.

Sent from my iPad

-Al-

> On Jan 6, 2020, at 18:12, Paul Kosinski via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?Even though I built the latest ClamAV (0.102.1) with the 'configure'
> option "--disable-ipv6", freshclam tried using IPv6 addresses when it
> failed to connect via IPv4 due to a firewall rule (which I now changed
> to allow port 443 as well as port 80).
>
> This rule was part of hardening our mail server a bit by blocking most
> outbound connections, so I had added explicit pass-thru for the
> clamav.net IPv4 addresses -- previously only port 80, now also 443.
> (And I had to allow these outbound connections because my previous
> attempts at local mirroring collapsed with the switch to Cloudflare:
> the CVD files on the BOS Cloudflare mirror seemed to be out of date a
> lot, as discussed in my previous postings).
>
>
> P.S. As far as I can tell, disallowing IPv6 everywhere within, in to
> and out of our small LAN, does not block anything of importance. Does
> anyone know of anything on the Internet that is IPv6 *only*, and is
> important enough to justify spending weeks of work rebuilding our
> firewall (not to mention reconfiguring everything else)?
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam 0.102.1 ignores "--disable-ipv6" [ In reply to ]

clamav-users at lists

Jan 6, 2020, 9:50 PM

Post #3 of 3 (288 views)

Permalink

I looked back in the list a bit, and found some mentions of freshclam
and IPv6, but not this issue specifically.

The fact that freshclam ignores the "--disable-ipv6" option probably
won't be a problem in practice -- as long as the IPv4 connections to
ClamAV.net work -- but it is annoying, and clearly a (minor) bug.

There are some other services, like NTP, X, VNC and RSYNCD, that insist
on binding to IPv6, even though *none* of our interfaces have it, but
they only *listen*, and thus yield no error msgs.

On Mon, 6 Jan 2020 20:48:20 -0800
Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:

> I’m fairly certain this was previously discussed. Might want to check
> the archives.
>
> I have not run across any site yet that is IPv6 only, but I suspect
> users in Asia have.
>
> Sent from my iPad
>
> -Al-
>
> > On Jan 6, 2020, at 18:12, Paul Kosinski via clamav-users
> > <clamav-users@lists.clamav.net> wrote:
> >
> > ?Even though I built the latest ClamAV (0.102.1) with the
> > 'configure' option "--disable-ipv6", freshclam tried using IPv6
> > addresses when it failed to connect via IPv4 due to a firewall rule
> > (which I now changed to allow port 443 as well as port 80).
> >
> > This rule was part of hardening our mail server a bit by blocking
> > most outbound connections, so I had added explicit pass-thru for the
> > clamav.net IPv4 addresses -- previously only port 80, now also 443.
> > (And I had to allow these outbound connections because my previous
> > attempts at local mirroring collapsed with the switch to Cloudflare:
> > the CVD files on the BOS Cloudflare mirror seemed to be out of date
> > a lot, as discussed in my previous postings).
> >
> >
> > P.S. As far as I can tell, disallowing IPv6 everywhere within, in to
> > and out of our small LAN, does not block anything of importance.
> > Does anyone know of anything on the Internet that is IPv6 *only*,
> > and is important enough to justify spending weeks of work
> > rebuilding our firewall (not to mention reconfiguring everything
> > else)?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml