[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Search domains in our environment (Proposal)

seth vidal wrote:
On Wed, 2007-12-19 at 19:24 -0600, Mike McGrath wrote:
seth vidal wrote:
On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote:
        The reason for all of this is the firewall in place at the PHX
        colo. If
        that wasn't there we wouldn't need any of the games at all. We
could just have foo.fedoraproject.org be resolveable from anywhere
        foo.vpn.fedoraproject.org just mean 'go over the vpn to get to
it'. seth 'big fan of simple networking' vidal

+1, but do we still need the firewall for other things?
So the firewall is something that came with the space. It's red hat's
firewall and I don't think we have any choice for the hosts inside phx.

In general, I'm a much bigger fan of hosts-based firewalling and
clamping down on exposure paths that way than an edge firewall for a
network. In this case it would also make our setup a good bit simpler if
we didn't have the edge firewall at all.
Just so my stance on this is also public. In general I also agree that it is good to remove the PHX firewall from the mix. The biggest being IP space. (think about the builders and such). There's also a firewall there that we could re-implement ourselves. While long term I do want to re-think our interactions with PHX but I can't say for sure exactly what that will be. If, for example, we got funding to host all non-buildsystem stuff in our new German colo, many of these problems might go away.

I'd very much like to research the alternatives but for now I think the search domain method would suit us well.

option 2:

 all hosts we maintain are written in /etc/hosts or hosts.db or
something comparable specific to the site.

that would keep mitm down to a minimum, too, but it means keeping that
file current.

Does search in resolv.conf work with multiple /etc/hosts entries. If so we could do that though, like DNS, we'd need to maintain multiple hostnames / ip's. If that doesn't work then we'd have to maintain multiple /etc/hosts files.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]