Search domains in our environment (Proposal)
seth vidal
skvidal at fedoraproject.org
Thu Dec 20 01:49:24 UTC 2007
On Wed, 2007-12-19 at 19:24 -0600, Mike McGrath wrote:
> seth vidal wrote:
> > On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote:
> >
> >> The reason for all of this is the firewall in place at the PHX
> >> colo. If
> >> that wasn't there we wouldn't need any of the games at all. We
> >> could
> >> just have foo.fedoraproject.org be resolveable from anywhere
> >> and
> >> foo.vpn.fedoraproject.org just mean 'go over the vpn to get to
> >> it'.
> >>
> >> seth 'big fan of simple networking' vidal
> >> -sv
> >>
> >> +1, but do we still need the firewall for other things?
> >>
> >
> > So the firewall is something that came with the space. It's red hat's
> > firewall and I don't think we have any choice for the hosts inside phx.
> >
> > In general, I'm a much bigger fan of hosts-based firewalling and
> > clamping down on exposure paths that way than an edge firewall for a
> > network. In this case it would also make our setup a good bit simpler if
> > we didn't have the edge firewall at all.
> >
>
> Just so my stance on this is also public. In general I also agree that
> it is good to remove the PHX firewall from the mix. The biggest being
> IP space. (think about the builders and such). There's also a firewall
> there that we could re-implement ourselves. While long term I do want
> to re-think our interactions with PHX but I can't say for sure exactly
> what that will be. If, for example, we got funding to host all
> non-buildsystem stuff in our new German colo, many of these problems
> might go away.
>
> I'd very much like to research the alternatives but for now I think the
> search domain method would suit us well.
>
option 2:
all hosts we maintain are written in /etc/hosts or hosts.db or
something comparable specific to the site.
that would keep mitm down to a minimum, too, but it means keeping that
file current.
-sv
More information about the Fedora-infrastructure-list
mailing list