Neews to accomodate multiple news servers from uu.net
The Doctor
doctor at doctor.nl2k.ab.ca
Sun Nov 11 04:50:24 UTC 2007
On Sat, Nov 10, 2007 at 09:16:16PM -0500, Bill Davidsen wrote:
> Miroslaw Luc wrote:
> > On Fri, 9 Nov 2007, The Doctor wrote:
> >
> >
> >> Question:
> >> >From uu.net, I need to permit
> >> newsXXXX.news.uu.net
> >> with 198.6.0.o/24 .
> >> What do I need to do to get this correct for incoming.comf?
> >>
> >
> > You need 254(6?) entries in your incoming.conf file.
> >
>
> STOP. You have given the best answer already. ;-)
>
> > Or do some magic in your firewall or nameserver setup.
> >
>
> Whenever you get tricky you risk making something which is unreliable,
> or doesn't do quite what you think it does, or at minimum means having
> someone else take over the work of administration is difficult at best.
> See my comment on how it should work below.
> > You can configure iptables/SNAT, ipfilter/map, pf/nat etc to map
> > all of 198.6.0.0/24 source addresses to 1 address that your news server
> > will accept. It needs a firewall / NAT box *before* your server.
> >
> > You can also use some BIND's features. See BIND's `view' statement.
> > In incoming.conf:
> > peer uunet {
> > hostname: newsXXXX.news.uu.net.FAKE
> > }
> > In named.conf:
> > view uunet_for_doctor_inn {
> > match-clients { IP-address_doctor_newsserver; };
> > zone "newsXXXX.news.uu.net.FAKE" {
> > type master;
> > file "zone-file";
> > ...
> > };
> > };
> > In zone-file:
> > [... SOA and NS records ...]
> > $GENERATE 1-254 @ A 198.6.0.$
> >
> > And so on.
> > I never tested such config but I think it could be working:)
> >
>
> I believe that what you want is to be able to do an expression match and
> just say "news*.news.uu.net" and be done with it. The logic to support
> that is (a) match the explicit IP if given by number, (b) match the IP
> from a lookup of a name, and finally (c) do reverse DNS, match the name
> to a pattern, and on match do a forward DNS lookup to verify that the
> name and IP match, then put the IP in cache for future connections.
>
> This adds a little overhead to the first lookup, but unless you reload
> cache often (reread incoming.conf) this really is down in the noise. It
> also avoids problems when a machine is suddenly moved to another CIDR block.
>
Sounds simply enough but I think news.uu.net has moved to
a dynamic model like DHCP which
really tosses this model around.
--
Member - Liberal International
This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca
God, Queen and country! Beware Anti-Christ rising!
Voting Canadians vote anyone but Harper Cronies!!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the inn-workers
mailing list