You are right. They can change. But it’s dependent on your location. So as long as you don’t move your position on earth ;), you should be fine. Unless cloudflare drastically changes things.
Sent from my iPhone > On Jul 9, 2019, at 18:58, Paul Kosinski <clamav-us...@iment.com> wrote: > > I hadn't looked recently. After I gave up on running a local mirror > and switched to CDIFFs, I also observed that signatures were usually > updated only couple of times per day. So I reduced polling the DNS TXT > record to only twice per hour and only running freshclam if the DNS TXT > record suggested it. > > Having just rechecked our freshclam logs, I can state that I have not > seen any failures this year! I don't know if this is due to the BOS > server being improved, or if it's simply due to the CDIFF files being > much smaller, and thus being propagated in a more timely fashion. In > any case, I'm quite pleased. > > > Now I have another, related, question. Since I now have each of our > machines on our LAN downloading the signature updates separately (local > mirrors apparently being dead), I have a firewalling problem. Our mail > server (for example) is blocked from having general Internet access > outbound. So when I want to do a software update, I manually unblock the > appropriate port, run the update and then manually block the port again. > > This obviously is impractical for freshclam, as it might be run at > arbitrary times during the day. So my solution has been to have > permanently allowed outbound connections to port 80 from the mail > server to *exactly* those Anycast IP addresses that ClamAV uses at > Cloudflare. This, obviously, would cause trouble in the future if the IP > addresses were to change. Should I presume that the lifetime of these > IP addresses is long enough that a rare manual update might be needed, > or could they change "relatively" often (like DHCP leases) so that some > kind of automation would be warranted? (The only IP addresses I > currently allow through are 104.16.218.84 and 104.16.219.84, and they > seem to be enough.) > > Any thoughts? > > > > On Tue, 9 Jul 2019 20:40:15 +0000 > "Joel Esler (jesler)" <jes...@cisco.com> wrote: > >> This has been fixed for some time has it not? >> >>> On Jul 9, 2019, at 3:38 PM, Paul Kosinski via clamav-users >>> <clamav-users@lists.clamav.net> wrote: >>> >>> The CVD version delivered by Cloudflare's "BOS" >>> Anycast server was often behind the version advertised by the DNS >>> TXT. >>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
