> i've clamd running on a standalone box on my private LAN, listening on > a TCP socket; in clamd.conf i have, > > TCPAddr 10.0.0.105 > TCPSocket 3310 > > i'm submitting messages TO it via exim's exiscan/content-scanning. > > works great. > > i'd like to LIMIT which IPs can *access* clamd on that box. > > > iiuc, there are three options: > > (1) tcpwrappers. but, afaict tcpwrammers support is limited to > clamav-milter. at least, config-ing hosts.allow/hosts.deny seems to > make no difference ... > > (2) control via firewall access. do-able, but not optimal ... > > (3) some config setting in clamd.conf. > > spamd, e.g., allows me to to configure BOTH the 'listening' ips AND > 'allowed' ips, where the latter define which ips can access/submit_to > the running daemon.
(4) You only say you're submitting from Exim, not specifying if Exim is on the local or on remote hosts. If you have a local Exim that needs to access a local clamd, run clamd on 127.0.0.1. That way there's no maintaining anything external to ClamAV and no other host can access it (unless you're doing some tricks). >> But why is your second option not optimal? >> > Simply 'one more thing' to take care of ... external to the apps involved. If you think (2) is just one more thing to maintain and present option (3) which is not external and seems to be able to do what you want, well... Why are you asking? ;-) IMO although you think (2) is not optimal configuration-wise, it is security-wise as clamd would never see packets it doesn't need to see. Grts, Rob _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
