Search domains in our environment (Proposal)

seth vidal skvidal at
Thu Dec 20 01:49:24 UTC 2007

On Wed, 2007-12-19 at 19:24 -0600, Mike McGrath wrote:
> seth vidal wrote:
> > On Wed, 2007-12-19 at 18:54 -0500, Anand Capur wrote:
> >   
> >>         The reason for all of this is the firewall in place at the PHX
> >>         colo. If
> >>         that wasn't there we wouldn't need any of the games at all. We
> >>         could 
> >>         just have be resolveable from anywhere
> >>         and
> >> just mean 'go over the vpn to get to
> >>         it'. 
> >>         
> >>         seth 'big fan of simple networking' vidal
> >>         -sv
> >>
> >> +1, but do we still need the firewall for other things?
> >>     
> >
> > So the firewall is something that came with the space. It's red hat's
> > firewall and I don't think we have any choice for the hosts inside phx.
> >
> > In general, I'm a much bigger fan of hosts-based firewalling and
> > clamping down on exposure paths that way than an edge firewall for a
> > network. In this case it would also make our setup a good bit simpler if
> > we didn't have the edge firewall at all.
> >   
> Just so my stance on this is also public.  In general I also agree that 
> it is good to remove the PHX firewall from the mix.  The biggest being 
> IP space.  (think about the builders and such).  There's also a firewall 
> there that we could re-implement ourselves.  While long term I do want 
> to re-think our interactions with PHX but I can't say for sure exactly 
> what that will be.  If, for example, we got funding to host all 
> non-buildsystem stuff in our new German colo, many of these problems 
> might go away.
> I'd very much like to research the alternatives but for now I think the 
> search domain method would suit us well.

option 2:

 all hosts we maintain are written in /etc/hosts or hosts.db or
something comparable specific to the site.

that would keep mitm down to a minimum, too, but it means keeping that
file current.


More information about the Fedora-infrastructure-list mailing list