Neews to accomodate multiple news servers from uu.net

Bill Davidsen davidsen at tmr.com
Sun Nov 11 02:16:16 UTC 2007


Miroslaw Luc wrote:
> On Fri, 9 Nov 2007, The Doctor wrote:
>
>   
>> Question:
>> >From uu.net, I need to permit
>> newsXXXX.news.uu.net
>> with 198.6.0.o/24 .
>> What do I need to do to get this correct for incoming.comf?
>>     
>
> You need 254(6?) entries in your incoming.conf file.
>   

STOP. You have given the best answer already.  ;-)

> Or do some magic in your firewall or nameserver setup.
>   

Whenever you get tricky you risk making something which is unreliable, 
or doesn't do quite what you think it does, or at minimum means having 
someone else take over the work of administration is difficult at best. 
See my comment on how it should work below.
> You can configure iptables/SNAT, ipfilter/map, pf/nat etc to map
> all of 198.6.0.0/24 source addresses to 1 address that your news server
> will accept. It needs a firewall / NAT box *before* your server.
>
> You can also use some BIND's features. See BIND's `view' statement.
> In incoming.conf:
> peer uunet {
>         hostname: newsXXXX.news.uu.net.FAKE
> }
> In named.conf:
> view uunet_for_doctor_inn {
>   match-clients { IP-address_doctor_newsserver; };
>   zone "newsXXXX.news.uu.net.FAKE" {
>      type master;
>      file "zone-file";
>      ...
>   };
> };
> In zone-file:
> [... SOA and NS records ...]
> $GENERATE 1-254 @ A 198.6.0.$
>
> And so on.
> I never tested such config but I think it could be working:)
>   

I believe that what you want is to be able to do an expression match and 
just say "news*.news.uu.net" and be done with it. The logic to support 
that is (a) match the explicit IP if given by number, (b) match the IP 
from a lookup of a name, and finally (c) do reverse DNS, match the name 
to a pattern, and on match do a forward DNS lookup to verify that the 
name and IP match, then put the IP in cache for future connections.

This adds a little overhead to the first lookup, but unless you reload 
cache often (reread incoming.conf) this really is down in the noise. It 
also avoids problems when a machine is suddenly moved to another CIDR block.

-- 
bill davidsen <davidsen at tmr.com>
  CTO TMR Associates, Inc
  Doing interesting things with small computers since 1979



More information about the inn-workers mailing list