* "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> [2002-12-18 07:02:13 -0500]: > Security no-no. Bad idea. IMO
"Security" is merely a tradeoff between locking things down and allowing functionality. :) With things the way they are, ircu's security is completely preventing the functionality, which (at least in the OP's case) isn't the desired effect. Admittedly, the way things work now is perfect for 90% of installs, and I certainly agree it's a security risk, but... Here's an interesting idea. How about making a C: line for localhost (which of course would resolve) with a strong password, and then setting up something like stunnel with certificates to make the actual connection? As far as ircu is concerned, the connection is coming from localhost. As long as the dynamic-IP leaf server could handle tearing down and bringing up the stunnel connection when its connection changes, it could use its own localhost as the hub IP. Depending on load, the overhead of the encryption may be a problem, but it might allow him to physically get it working... Of course, the truly overkill version of this solution is to set up some kind of VPN between the leaf node and the hub (I know this can be done, even when BOTH ends of the connection are dynamic, although that can get a little hairy to automate) and then make an IP alias on the leaf with a private IP. Put the private IP's hostname into the hub's /etc/hosts file (or if ircu must use DNS, I forget, then create a zone file with a "bogus" TLD to answer for that host...running the name server on localhost only of course if the machine isn't already doing DNS) and then bang, full forward and reverse DNS, with the added benefit of being able to use one of the "interesting" kinds of hostnames we used to see a lot of on Undernet. :) I suppose making a modification to ircu's configuration to allow connections from a C: line when only the forward DNS resolves properly is out of the question? I know this is a non-issue for the production Undernet, but I'm sure this guy isn't the only one who has an interest in running a network with at least one dynamic-IP leaf node... -- ------------------------------------------------------------------------ daaave Undernet Server Operator irc://irc.undernet.org:6667/ [EMAIL PROTECTED] ------------------------------------------------------------------------
msg01938/pgp00000.pgp
Description: PGP signature
