Neews to accomodate multiple news servers from uu.net

Sun Nov 11 04:50:24 UTC 2007

On Sat, Nov 10, 2007 at 09:16:16PM -0500, Bill Davidsen wrote:
> Miroslaw Luc wrote:
> > On Fri, 9 Nov 2007, The Doctor wrote:
> >
> >   
> >> Question:
> >> >From uu.net, I need to permit
> >> newsXXXX.news.uu.net
> >> with 198.6.0.o/24 .
> >> What do I need to do to get this correct for incoming.comf?
> >>     
> >
> > You need 254(6?) entries in your incoming.conf file.
> >   
> 
> STOP. You have given the best answer already.  ;-)
> 
> > Or do some magic in your firewall or nameserver setup.
> >   
> 
> Whenever you get tricky you risk making something which is unreliable, 
> or doesn't do quite what you think it does, or at minimum means having 
> someone else take over the work of administration is difficult at best. 
> See my comment on how it should work below.
> > You can configure iptables/SNAT, ipfilter/map, pf/nat etc to map
> > all of 198.6.0.0/24 source addresses to 1 address that your news server
> > will accept. It needs a firewall / NAT box *before* your server.
> >
> > You can also use some BIND's features. See BIND's `view' statement.
> > In incoming.conf:
> > peer uunet {
> >         hostname: newsXXXX.news.uu.net.FAKE
> > }
> > In named.conf:
> > view uunet_for_doctor_inn {
> >   match-clients { IP-address_doctor_newsserver; };
> >   zone "newsXXXX.news.uu.net.FAKE" {
> >      type master;
> >      file "zone-file";
> >      ...
> >   };
> > };
> > In zone-file:
> > [... SOA and NS records ...]
> > $GENERATE 1-254 @ A 198.6.0.$
> >
> > And so on.
> > I never tested such config but I think it could be working:)
> >   
> 
> I believe that what you want is to be able to do an expression match and 
> just say "news*.news.uu.net" and be done with it. The logic to support 
> that is (a) match the explicit IP if given by number, (b) match the IP 
> from a lookup of a name, and finally (c) do reverse DNS, match the name 
> to a pattern, and on match do a forward DNS lookup to verify that the 
> name and IP match, then put the IP in cache for future connections.
> 
> This adds a little overhead to the first lookup, but unless you reload 
> cache often (reread incoming.conf) this really is down in the noise. It 
> also avoids problems when a machine is suddenly moved to another CIDR block.
> 

Sounds simply enough but I think news.uu.net has moved to 
a dynamic model like DHCP which
really tosses this model around.

-- 
Member - Liberal International	
This is doctor at nl2k.ab.ca	Ici doctor at nl2k.ab.ca
God, Queen and country! Beware Anti-Christ rising!
Voting Canadians vote anyone but Harper Cronies!!

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.