1 |
On Sun, 21 Mar 2010, Mark Loeser wrote: |
2 |
|
3 |
> Please make sure that you have mirrorstats.gentoo.org in your whitelists |
4 |
> for your mirrors. It is a CNAME that points to the machine we have |
5 |
> monitoring all of the mirrors, so please only check that |
6 |
> mirrorstats.gentoo.org resolves to who is connecting. If the IP is blocked |
7 |
> by your mirror, it makes our monitoring much more difficult. |
8 |
|
9 |
Mark, |
10 |
|
11 |
Does the IP change frequently / at all? What you're asking for is |
12 |
atypical... |
13 |
|
14 |
Access rules for incoming traffic (especially for firewalls) typically |
15 |
require an IP address/network and cannot specify a host by the DNS |
16 |
hostname. It is probably unhealthy to depend on an external (DNS) query |
17 |
before deciding whether to permit or deny a packet. |
18 |
|
19 |
Access rules running at a higher (application) layer may support DNS |
20 |
hostnames, but not in the way you envision. For example, rsyncd.conf(5) |
21 |
says hosts.allow can be "a hostname. The hostname as determined by a |
22 |
reverse lookup will be matched (case insensitive) against the pattern. |
23 |
Only an exact match is allowed in." So, the current IP of 209.177.148.226 |
24 |
would resolve to magpie.gentoo.org, and that is the name to be specified. |
25 |
|
26 |
Apache is even more stringent. Specifying a domain name in an Allow |
27 |
directive "will cause Apache to perform a double reverse DNS lookup on the |
28 |
client IP address[...]. It will do a reverse DNS lookup on the IP address |
29 |
to find the associated hostname, and then do a forward lookup on the |
30 |
hostname to assure that it matches the original IP address. Only if the |
31 |
forward and reverse DNS are consistent and the hostname matches will |
32 |
access be allowed." |