seth vidal wrote:
On Wed, 2007-12-19 at 19:24 -0600, Mike McGrath wrote:
seth vidal wrote:
On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote:
The reason for all of this is the firewall in place at the PHX
colo. If
that wasn't there we wouldn't need any of the games at all. We
could
just have foo.fedoraproject.org be resolveable from anywhere
and
foo.vpn.fedoraproject.org just mean 'go over the vpn to get to
it'.
seth 'big fan of simple networking' vidal
-sv
+1, but do we still need the firewall for other things?
So the firewall is something that came with the space. It's red hat's
firewall and I don't think we have any choice for the hosts inside phx.
In general, I'm a much bigger fan of hosts-based firewalling and
clamping down on exposure paths that way than an edge firewall for a
network. In this case it would also make our setup a good bit simpler if
we didn't have the edge firewall at all.
Just so my stance on this is also public. In general I also agree that
it is good to remove the PHX firewall from the mix. The biggest being
IP space. (think about the builders and such). There's also a firewall
there that we could re-implement ourselves. While long term I do want
to re-think our interactions with PHX but I can't say for sure exactly
what that will be. If, for example, we got funding to host all
non-buildsystem stuff in our new German colo, many of these problems
might go away.
I'd very much like to research the alternatives but for now I think the
search domain method would suit us well.
option 2:
all hosts we maintain are written in /etc/hosts or hosts.db or
something comparable specific to the site.
that would keep mitm down to a minimum, too, but it means keeping that
file current.
Does search in resolv.conf work with multiple /etc/hosts entries. If so
we could do that though, like DNS, we'd need to maintain multiple
hostnames / ip's. If that doesn't work then we'd have to maintain
multiple /etc/hosts files.
-Mike
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list