since my last mirror was busted i decided to try a new one only to get cock-blocked at the last second ... just not my day it seems $ rsync rsync://128.61.111.9/gentoo-portage/metadata/timestamp . <retardedly long motd> @ERROR: access denied to gentoo-portage from unknown (141.157.190.139) rsync error: error starting client-server protocol (code 5) at main.c(1386) [receiver=2.6.9] $
We are indeed denying access from sites that do not have valid entries in DNS. We do a reverse DNS query on the incoming IP address. If we get a name back, we do a query on that to get an IP address. If that address does not match the incoming address, or any of the DNS queries fail we deny access. Please contact your DNS administrator and request that they fix their DNS. Until such time as this is corrected, you will not be allowed access to 128.61.111.9.
sure, my ISP (verizon) may blow goats (i agree) and their DNS is completely screwed, but so what ? if you want to run an anal retentive rsync mirror, that's your decision, but i think that it doesnt belong anywhere in our public mirror system mirror-admins: can we get our policy updated and this mirror rotated out in favor of a real open one
Neil, I'm sorry, but I have to agree with Spanky here. A good number of our users do connect from home, or have ISPs that have messed up DNS settings. Denying access based solely on failed reverse look-ups seems a little too harsh. Please let me know what you think and if you're willing to stop blocking IPs that don't (reverse) resolve correctly. Another important thing : DNS Admins/ISPs are usually not very helpful with requests they get to "fix" their stuff. Unless of course it's at a Uni or something. Common issues, can't have restrictive solutions.
We have export restricted code that is made available both from the Gentoo distribution as well as others hosted on the same machine. DNS is a 'due diligence' sort of mechanism we can use to comply with those restrictions. i.e *.sy and such can easily be excluded. Unfortunately, 'unknown' must also be excluded. Alternate suggestions on how to comply with these export restrictions would be welcome. How do your other mirrors handle this?
Neil, Can you be more specific? A Gentoo ebuild needs an export restricted package? Or are you saying the machine that hosts the gentoo mirrors have code (for some other distro/purpose) that is export restricted?
I'm saying both. Well, technically ebuilds aren't the problem, but I'm also a distfiles mirror. There is OpenSSH in there. GTLib also hosts most other Linux distributions as well as FreeBSD, NetBSD, OpenBSD, mozilla, apache, etc...
(In reply to comment #6) > I'm saying both. Well, technically ebuilds aren't the problem, but I'm also a > distfiles mirror. There is OpenSSH in there. GTLib also hosts most other > Linux distributions as well as FreeBSD, NetBSD, OpenBSD, mozilla, apache, > etc... And which of these are export restricted? I don't know of any Open Source distro or program being export restricted by the US?
That seems like a very ineffective means of preventing "the terrorists" from obtaining "teh sekrit US crypto code", since people can easily set up reverse DNS and get around your DNS check. At work, the reverse DNS on the T1's main IP doesn't have a country code. How do you know I'm not an evil person trying to get my hands on export restricted code?
As somebody that the opposite side of the problem recently, there is far better data to use for blocking. Blocking simply because the DNS entry ends in the country code is esp. bad in this age of Web 2.0 sites that use the foreign country codes for nice names. On the other side, there is are definetly sites in US-export-restricted countries that end in the classical .net/.com/.org. Reverse DNS is also easy to forge for anybody with an actual netblock allocation. For a MUCH better solution, with less fallout, grab the allocated netblock data per country from this site: http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/ Here's Syria and Cuba: http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/SY-cidr.txt http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/CU-cidr.txt As regards the legal side of it, due to some legal stuff from a US court, despite the fact the company I work for is Canadian, we are currently blocking any US access to one of our services. The only solution that the court would agree to for that was the above netblock data.
err, hit the google cache for the moment, their site is down for maintenance today. http://72.14.253.104/search?q=cache:KiydLxnaRU8J:www.completewhois.com/statistics/data/ips-bycountry/rirstats/CU-cidr.txt+CU-cidr.txt&hl=en&ct=clnk&cd=1&gl=ca&client=firefox-a
This looks like a much better solution that the DNS hackery I currently have in place. I've talked to our firewall folks and it looks doable. I'll update this ticket when implemented.
We've implemented blocking based on networks from Complete WHOIS and have removed the DNS based mechanism. Much thanks to Robin for the suggestion! Spanky, would you mind verifying that you can successfully access rsync://128.61.111.9/gentoo-portage/metadata/timestamp?
yes, i can rsync again
Alright guys, closing this bug. Thanks to Robin for suggesting the workaround, to Neil for putting it in place and Spanky for spanking it :p
