hi
I think, my friend, that you misunderstood what Charlie said.
no-one told you to let every ip come IN.. you should permit you Sme to go OUT where it need..
making firewall rules by ip on the wan side is, IMHO, a pain.. as you've been told, clamav use many servers, and you Sme will use almost all of them.. and they could change their ip..
so, make a simple rule:
sme ip -> alll on 80 permit
my 2c
ciao
Stefano