Gentoo Archives: gentoo-mirrors

From: mirror-maintainer@×××××××××××××.net
To: gentoo-mirrors@l.g.o
Subject: Re: [gentoo-mirrors] Please whitelist mirrorstats.gentoo.org
Date: Mon, 22 Mar 2010 02:07:04
Message-Id: Pine.LNX.4.64.1003220909320.23740@spam.averse.net
In Reply to: [gentoo-mirrors] Please whitelist mirrorstats.gentoo.org by Mark Loeser
On Sun, 21 Mar 2010, Mark Loeser wrote:

> Please make sure that you have mirrorstats.gentoo.org in your whitelists > for your mirrors. It is a CNAME that points to the machine we have > monitoring all of the mirrors, so please only check that > mirrorstats.gentoo.org resolves to who is connecting. If the IP is blocked > by your mirror, it makes our monitoring much more difficult.
Mark, Does the IP change frequently / at all? What you're asking for is atypical... Access rules for incoming traffic (especially for firewalls) typically require an IP address/network and cannot specify a host by the DNS hostname. It is probably unhealthy to depend on an external (DNS) query before deciding whether to permit or deny a packet. Access rules running at a higher (application) layer may support DNS hostnames, but not in the way you envision. For example, rsyncd.conf(5) says hosts.allow can be "a hostname. The hostname as determined by a reverse lookup will be matched (case insensitive) against the pattern. Only an exact match is allowed in." So, the current IP of 209.177.148.226 would resolve to magpie.gentoo.org, and that is the name to be specified. Apache is even more stringent. Specifying a domain name in an Allow directive "will cause Apache to perform a double reverse DNS lookup on the client IP address[...]. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed."

Replies

Subject Author
Re: [gentoo-mirrors] Please whitelist mirrorstats.gentoo.org Mark Loeser <halcy0n@g.o>