[SOLVED] c-icap, clamav & size limit

[Waschbuesch]

Hi there,

Just saw the following on my firewall at home (OPNsense 17.7.3-amd64):
I have enabled c-icap, clamav and transparent squid (for SSL too) like detailed in the online manual.
What happened is that a large download (XCode update on my Mac) was not bypassed but written to /var/tmp/CI_TMP_XXXX and filled up the disk completely. (the download in question is >5G in size).
Should the configured size-limits for both c-icap and clamav not prevent this sort of thing?

[mimugmail]

Do you have some additional errors in your logs you can provide?

[mimugmail]

I think I found the bug:

https://github.com/opnsense/plugins/blob/master/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/virus_scan.conf#L22

There's a typo so this value wont be set, I'll fix this!

[franco]

Commit: https://github.com/opnsense/plugins/commit/90deaa6

Patch:

# opnsense-patch -c plugins 90deaa6

[Waschbuesch]

Wow, that was quick.

Thanks everyone!

:)

[franco]

All shipped in 17.7.4, yes. 8)


Cheers,
Franco

[Stephan]

Hi,

I think we need to reopen this... just ran into the same issue - testfile download of 10gb and it was stored locally to /var/tmp/CI_TMPxxx... though the max file size was set to 5mb in cicap

any help appreciated!

Cheers, Stephan

Edit:
Tue Oct  3 16:56:59 2017, 37144/3376520192, Cannot write to file: No space left on device

[Stephan]

Ok, after some diggin I found this in the /usr/local/etc/c-icap/virus_scan.conf

Code Select Expand

ServiceAlias  avscan virus_scan?allow204=on&sizelimit=off&mode=simple


According to http://c-icap.sourceforge.net/install.html
sizelimit=off means:
sizelimit=off to ignore srv_clamav.MaxObjectSize directive in c-icap.conf file

...

Is this the Problem?

Cheers, Stephan

EDIT: Just tested it by removing &sizelimit=off and the big file download started correctly by the browser (used http://speed.hetzner.de/ )

[franco]

Ok, 17.7.5 this time... :)