On Wed, 2007-12-19 at 19:24 -0600, Mike McGrath wrote: > seth vidal wrote: > > On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote: > > > >> The reason for all of this is the firewall in place at the PHX > >> colo. If > >> that wasn't there we wouldn't need any of the games at all. We > >> could > >> just have foo.fedoraproject.org be resolveable from anywhere > >> and > >> foo.vpn.fedoraproject.org just mean 'go over the vpn to get to > >> it'. > >> > >> seth 'big fan of simple networking' vidal > >> -sv > >> > >> +1, but do we still need the firewall for other things? > >> > > > > So the firewall is something that came with the space. It's red hat's > > firewall and I don't think we have any choice for the hosts inside phx. > > > > In general, I'm a much bigger fan of hosts-based firewalling and > > clamping down on exposure paths that way than an edge firewall for a > > network. In this case it would also make our setup a good bit simpler if > > we didn't have the edge firewall at all. > > > > Just so my stance on this is also public. In general I also agree that > it is good to remove the PHX firewall from the mix. The biggest being > IP space. (think about the builders and such). There's also a firewall > there that we could re-implement ourselves. While long term I do want > to re-think our interactions with PHX but I can't say for sure exactly > what that will be. If, for example, we got funding to host all > non-buildsystem stuff in our new German colo, many of these problems > might go away. > > I'd very much like to research the alternatives but for now I think the > search domain method would suit us well. > option 2: all hosts we maintain are written in /etc/hosts or hosts.db or something comparable specific to the site. that would keep mitm down to a minimum, too, but it means keeping that file current. -sv _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
