Re: RFC - sysadmin guidelines
On Thu, Jan 15, 2009 at 9:25 PM, Frank Chiulli wrote: > On Thu, Jan 15, 2009 at 9:35 AM, Mike McGrath wrote: >> On Sun, 11 Jan 2009, Mike McGrath wrote: >> >>> This isn't really required but it's my intention to implement these >>> policies (or what we come to after some discussion). This is targeted >>> _ONLY_ at this team and those with shell access to our servers. Its not >>> my intention to roll it out to the larger community, though its certainly >>> a good idea for people to read through it. >>> >>> http://mmcgrath.fedorapeople.org/policy/ >>> > > Mike, > Take a look at Section 1.2. Host Network Security. There is a > duplicate setting. > The 4th setting is: > net.ipv4.conf.all.accept_redirects = 0 > > This setting is duplicated in the 14th setting. > > I'm guessing that the 4th setting should be removed. > > Frank > Mike, First let me say that the examples are a great addition to the page. I was looking at the iptables sample configuration and had some questions. I compared your suggested configuration to my current configuration (Fedora 10). With the exception of the lines with '--tcp-flags' in your sample configuration, they're pretty close. I don't have those yet. The first three lines that start with '-A' in your sample are the same as mine except the order is different. Does the order make a difference? Here are the lines from my file: -A INPUT -m state --state ESTABLISHED,RELATED -j accept -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT Here are yours: -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT Thanks, Frank ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
RE: transport maps for bastion
I'm new to the environment but have exp with postfix @ $DAYJOB, so I figure this might be something I can contribute to without sounding too dumb, but if I do please take it easy. :) >Currently all mail which goes through bastion (for example all >@fedoraproject.org mail) then relays through mx.util.phx.redhat.com. I'm not sure what bastion is but my question is why is the relay going through mx.util.phx.redhat.com currently? I'm guessing bastion is the host the @fedoraproject.org email is delivered on. (?) I can't find mx.util.phx.redhat.com in public dns is there an ACL on the zone or is this an /etc/host entry? Is the relay to mx.util.phx.redhat.com done via a relayhost entry in main.cf? Also, where does mail go after mx.util.phx.redhat.com, I'm guessing there's another hop before the internet because of the dns failure. >Which are all redhat.com boxes. So our mail goes from there, to bastion >to expand out the aliases we have (ultimately) then back to >mx.util.phx.redhat.com to be relayed out to the rest of the world. back to mx.util.phx.redhat.com? does it come from their or from the MX hosts? > >For various reasons mail bound from bastion to @redhat.com addresses >probably needs to go through mx.util.phx.redhat.com, however, mail not >bound for @redhat.com shouldn't have to. Just curious as the the "various reasons" you mention here. >I'm proposing using a postfix transport map which explicitly says: >.redhat.com smtp:mx.util.phx.redhat.com >redhat.com smtp:mx.util.phx.redhat.com >* : > I believe you could also remove the last line and if a relayhost is used in main.cf comment it out. It should do the same thing since postfix uses dns mx or A record for next hop delivery. > >So my question for all you nice people is: > >Can anyone see any problem with doing this? I've tested it out on a >different mail server I take care of and it works fine. I would wonder if this is needed at all? why can't the redhat.com domain go to the mx too? just curious. As long as redhat.com isn't one of bastion's postfix mydestination I would expect everything to still work and be a much easier config to change or troubleshoot later. /me likes things as simple as possible :-) PS. was there a meeting yesterday? I was planning on joining but had a conf call scheduled and didn't see notes from the list. JCJ ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: transport maps for bastion
On Fri, Jan 16, 2009 at 12:21 PM, seth vidal wrote: > > for mail bound to redhat.com or anyhost.redhat.com - relay to > mx.util.phx.redhat.com > > for any other email, relay normally (ie: by the destinations normal > paths) > > So my question for all you nice people is: > > Can anyone see any problem with doing this? I've tested it out on a > different mail server I take care of and it works fine. I'm not a postfix guru so I won't comment on the postfix details, but I do similar things at $DAYJOB so I approve of the general concept. The only thing that I would suggest would be to have more than one box handling @fedoraproject.org email relays rather than relying on bastion. -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
transport maps for bastion
Currently all mail which goes through bastion (for example all @fedoraproject.org mail) then relays through mx.util.phx.redhat.com. So, if we look at our mail route it is: primary mxes for fedoraproject.org are: ;; ANSWER SECTION: IN MX 40 smtp.fedora.redhat.com. IN MX 10 mx1.fedoraproject.org. IN MX 20 mx2.fedoraproject.org. IN MX 30 mx3.fedoraproject.org. Which are all redhat.com boxes. So our mail goes from there, to bastion to expand out the aliases we have (ultimately) then back to mx.util.phx.redhat.com to be relayed out to the rest of the world. For various reasons mail bound from bastion to @redhat.com addresses probably needs to go through mx.util.phx.redhat.com, however, mail not bound for @redhat.com shouldn't have to. I'm proposing using a postfix transport map which explicitly says: .redhat.com smtp:mx.util.phx.redhat.com redhat.com smtp:mx.util.phx.redhat.com * : This says: for mail bound to redhat.com or anyhost.redhat.com - relay to mx.util.phx.redhat.com for any other email, relay normally (ie: by the destinations normal paths) So my question for all you nice people is: Can anyone see any problem with doing this? I've tested it out on a different mail server I take care of and it works fine. -sv ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DRBD
On Fri, 16 Jan 2009, Oliver Falk wrote: > Mike McGrath wrote: > > On Thu, 15 Jan 2009, Ramez Hanna wrote: > > > > > so what is the project? > > > > > Finding out if Fedora/RHEL is one of the few major distros without drbd. > > It *IS*! :-( > > Although it's not too hard to generate RPMs from the tarballs and use it... > > I'd be happy to see it included in Fedora/RHEL! I guess the guys from Linbit > (located here in Austria), wouldn't mind as well :-) > I've been talking with those guys a bit too. Seems the kernel module is the last thing blocking getting this in. I'm still trying to figure out what our options are here. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: DRBD
Mike McGrath wrote: On Thu, 15 Jan 2009, Ramez Hanna wrote: so what is the project? Finding out if Fedora/RHEL is one of the few major distros without drbd. It *IS*! :-( Although it's not too hard to generate RPMs from the tarballs and use it... I'd be happy to see it included in Fedora/RHEL! I guess the guys from Linbit (located here in Austria), wouldn't mind as well :-) -of ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list