Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: nnrp conf (Edwardo Garcia)
2. Re: nnrp conf (Russ Allbery)
----------------------------------------------------------------------
Message: 1
Date: Thu, 4 Dec 2014 13:48:13 +1000
From: Edwardo Garcia <[email protected]>
To: Russ Allbery <[email protected]>
Cc: [email protected]
Subject: Re: nnrp conf
Message-ID:
<CANso6eH0Z5eK3Sc89GgUzyLV+7NOCQxG3KT=df6f_op5ais...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Great thank you for that!
I have one more question, limit user conncurant?
Is innflag -H 6 -X 3600 the only way? Because I concern at 128
limit I read?
I read in archive from Julien some script but not work here evne when
change path, I must called it wrong, but if innflag can do job that
better
On 12/3/14, Russ Allbery <[email protected]> wrote:
> Edwardo Garcia <[email protected]> writes:
>
>> before I put back server on, is possible to have multi auth refer to one
>> access? or require matching pair?
>
> Yes.
>
> The idea behind readers.conf is that the auth blocks assign an identity to
> the user, and then the access blocks map identities to permissions. So,
> if you have multiple auth blocks that map different incoming connections
> to the same identity, they'll all have exactly the the same access.
>
> If you want to have all rules come in pairs, so that one auth block always
> maps uniquely to one access block, there are two ways to do it. The
> easiest is to always use the default: key in the auth block to assign a
> unique identity that shows up only in that auth block, and then have all
> your access blocks assign permissions based on those unique identities,
> matching only one such identity in each block.
>
> (You can also use key:, but that's a bit more complicated.)
>
>> example:
>
>> auth "localhost" {
>> hosts: "localhost, 127.0.0.1, ::1, stdin, 200.x.x.x.x/24"
>> default: "<localhost>"
>> }
>
>> access "localhost" {
>> users: "<localhost>"
>> newsgroups: "*"
>> access: RPA
>> }
>
> This access block matches only that auth block.
>
>> auth name1 {
>> hosts: " foo/16, bah/19, somefoo/19"
>> default: "<parent>" <--------------------------------
>> }
>
>> auth name2 {
>> hosts: "x.x.x/17, x.x.x.x/16, ..."
>> default: "<parent>" <--------------------------------
>> }
>
>> access subsids {
>> users: "<parent>" <-----------------
>> newsgroups: "*"
>> }
>
> This access block goes with any auth block that assigns an identity of
> <parent>. So it gives the same access to connections that match either of
> those auth blocks.
>
>> is this right? each subsiduary busines we let access to, has many many
>> IP range, I see 8k limit per host line still, and we keep this clean in
>> case company sell off one company we just delete block, hope have syntax
>> right and wont be open server again?
>
> That should not open the news server to the world. I think you've got the
> right configuration for what you're trying to do.
>
> --
> Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
>
> Please send questions to the list rather than mailing me directly.
> <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
> _______________________________________________
> inn-workers mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/inn-workers
>
------------------------------
Message: 2
Date: Wed, 03 Dec 2014 20:35:04 -0800
From: Russ Allbery <[email protected]>
To: [email protected]
Subject: Re: nnrp conf
Message-ID: <[email protected]>
Content-Type: text/plain
Edwardo Garcia <[email protected]> writes:
> Great thank you for that!
> I have one more question, limit user conncurant?
> Is innflag -H 6 -X 3600 the only way? Because I concern at 128
> limit I read?
I'm not sure what the last part of that sentence meant, but yes, those
flags are the only method out of the box for controlling the number of
concurrent connections. Unfortunately, those are not by user; rather,
they're by IP address. That may be good enough in your situation. I'm
not sure.
If you need to control access by authenticated user, you have to do
something more complicated with the nnrpd access hooks, and there isn't
anything available out of the box for that.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
------------------------------
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
End of inn-workers Digest, Vol 67, Issue 4
******************************************
