this list whose address isn't resolving again. It seems like it's taking these messages about a half hour to get delivered. The message I'm replying to was sent at 21:42 EDT, but wasn't delivered to my mail server until 22:04 EDT. Might be worth double-checking out what's going on with postfix.)
Deskin Miller wrote: > Alias interfaces let you run multiple independent copies of the same=20 > network server from the same NIC, and have them be addressed=20 > differently, have truly different DNS entries, and all use standard=20 > port numbers. OK, but why does that require a different interface name? ;-) You should be able to do all of that by just adding a second IP to the same interface, without creating an alias. Aliases were required when using net-tools, but they shouldn't be required anymore. I am fairly sure that Apache (for instance) can run multiple copies of itself, each with a different Listen directive pointing at a different IP. AFAIK it does not require different interface names. (I think this is because the only way to bind to a specific interface by name is to use a non-portable ioctl. I'm not positive on that though. I do know that bind(2) can choose which NIC it listens on based on the IP address in the sockaddr_in structure that the server program passes to it, and that *is* portable.) > I imagine they're a huge win for low-end Web hosting companies, who > might put several Web servers/VMs Oh, I think I see where you're coming from; OK. VMs probably do require different interface names on the host, yes. But note that this ISP is not getting nearly as much separation as they may think between the VMs: an attacker can take down all their VMs just by changing which IP he targets, for instance. (Assuming there's some DoS available against each of them. The same logic applies to taking over each of the VMs, too, if the attacker has an exploit.) Maybe that's not an issue for these small hosts, though. If the second IP won't handle traffic that has to be separated for security reasons, then it may be OK. > They're wonderfully useful for firewall rules, <...> QOS <...> I'm not sure how "-i eth0:4" is any different from "-d <IP for alias 4>" when someone can flip their traffic over to eth0:4 just by changing its destination IP. 802.1q VLANs, IMO, are a better way to separate your traffic, if your switches properly support that protocol. Firewall rules won't be any more *secure* if they use the alias, basically. (There may be other advantages though.) OTOH, if we're talking low-end hosting, there probably won't be any security reason for using an alias anyway. Hmm. Well, whatever. If it won't be too hard to maintain, then I suppose creating the alias is fine. :-)
signature.asc
Description: OpenPGP digital signature
-- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
