On Mon, 2003-09-08 at 01:00, Rodolfo J. Paiz wrote: > At 00:22 9/8/2003 -0500, you wrote: > >Shorewall is setup to only allow ports 53, 80, 25, 123, 443 > > FYI, on the Shorewall site, in the "contrib" directory, there is a very > simply Mini-HOWTO I wrote on using Portsentry in combination with Shorewall > to dynamic, real-time blocking of Bad People [tm] who touch certain ports > on your server. I highly recommend it in reducing the threat level from > some types of hackers and script kiddies. >
Good Idea. I used to use portsentry on my other boxes and after rebuilding them to newer rh versions I never got around to portsentry. I'll take a look at your HOWTO. > >The host name is set to webserver1.maindomain.com and I have > >mail1.maindomain.com setup in dns as the mx record for each of the > >domains. > > > >The first question I have is how can I get sendmail to use the name > >mail1 instead of webserver1. > > You _are_ aware that there is no technical need for this, right? I don't > actually know the answer to your question, but if you're concerned about > functionality, let me reassure you that there is no problem. We run about > 100 small domains on one box, and everyone is told to use > "mail.theirdomain.com" as SMTP/POP server. However, all mail sent from the > server comes from "rita.anotherdomain.com". No one has cared yet. Yeah I figured that but it is nice to have conformation. Just sort of irritating to me. > > >I am about to mail the colo company where this server lives to request > >that the reverse dns entries be added. the mail server is pretty much > >the only thing that runs on the ip that it is on call it 123.123.123.2 > >there will be a ssl enabled website on 123.123.123.1 and the apache > >vhosts running on 123.123.123.3 btw the master dns server (forward) is > >running on 123.123.123.3 also. > > Suggest you keep the .1 address for all "his" stuff, the .2 address for all > the vhosts, and the .3 for the SSL-enabled site. Why? From then on, all > your SSL sites will be "from 3 to 10" and you will have less chance of > error and stuffing something onto the wrong IP by mistake. However, this is > just a trifle... my own personal sense of mental order. It does not matter > how you order them. > Yeah I have been thinking about that my self. I may do that once all the testing is done. > >should I request that all the various names like www.domain1.com and > >www.domain2.com and dns1.maindomain.com be added to the reverse mapping > >for 123.123.123.3? > > Good Lord, no. > > For starters, that's not even possible in the sense you mean it. You _can_ > have: > > me.domain.com IN A 123.123.123.2 > you.domain.com IN A 123.123.123.2 > > But you _cannot_ have: > > 123.123.123.2 IN PTR me.domain.com > 123.123.123.2 IN PTR you.domain.com > > Maybe you can do it if reverse-round-robin-DNS exists, but so far as I know > it doesn't and, in any case, you would get any name at random from that > list for every request anyway, which is not what you want. Simply set the > reverse DNS to something that makes sense to YOU: 99.99% the only check > that is made for reverse DNS is that it exists, not that it matches with > forward DNS in any way. This is as I thought. I did see a reference to the face that it was the orig. intention of reverse mapping to only map an ip to one entry but that the limitations of CNAME records had rendered that not practical. Now of course I can't find the reference. > > Again, our 100 domains run on about 30 IP addresses, and the reverse DNS on > all 30 addresses is the same: "rita.otherdomain.com". No one has yet cared. Cool, Thanks. Bret -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
