Re: {bb} Multiple BBNET servers

To: bb@bb4.com
Subject: Re: {bb} Multiple BBNET servers
From: Philip Clark <bblist@cannae.uklinux.net>
Date: 15 Jan 2006 03:35:52 +0000
Content-transfer-encoding: 7bit
Content-type: text/plain
In-reply-to: <43C98E53.70009@umdnj.edu>
References: <43C95D8C.5030808@umdnj.edu> <1137277553.2831.45.camel@carter.pythonesque.net> <43C98E53.70009@umdnj.edu>
Reply-to: bb@bb4.com
Sender: owner-bb@bb4.com

On Sat, 2006-01-14 at 23:50, Ryan Novosielski wrote:

> This is the compromise between my two scenarios... it seems to me, and 
> please correct me if I'm wrong, that both machines (the BBNET machine 
> and the BBDISPLAY/BBNET machine) need to have the same list of hosts on 
> both, they just needn't both say anything?

I'm not sure that I understand the question. Part of the problem is
that BBDISPLAY and BBNET use the bb-hosts file in different ways.
The BBNET machine on your DMZ has no need to know about anything
which is on the internal network, other than the BBDISPLAY it
should report to.

The BBDISPLAY machine needs to have a line for each host (internal
and DMZ) in order to produce an entry on the web pages. If it is
also a BBNET, the entries for hosts in your DMZ will need the
"noconn" directive to suppress the default ping test.

> I would expect that the BBDISPLAY machine has to have every machine
> listed, otherwise it will not display them, but really, to go to the
> extreme if I wanted, I could have BBNET running on both, but on the
> BBDISPLAY machine, turn off all of the tests and let them all be done
> by the other BBNET box (really, what you'd do then is turn off BBNET
> on the machine not doing testing, but I'm just asking to understand
> the functionality).

If you could perform all your network tests from a BBNET on the
DMZ, there would be no need to run an internal BBNET. You could
just remove the BBNET directive from the entry for the BBDISPLAY
machine and add it to the entry for the DMZ BBNET and the bb-hosts
file would be the same on both. Testing an internal network from
the DMZ like this is, however, a real bad thing <tm>. Opening
lots of incoming holes would render the firewall ineffective.

Instead, any network tests for internal machines should be
performed from the internal network. For example, the internal
BB server might have a bb-hosts file like this:

  192.168.1.10   int-bb.mydom.com # BBPAGER BBNET BBDISPLAY ftp
    http://winston.mydom.com/
  192.168.1.11   int-post.mydom.com # smtp pop3
  192.168.1.12   int_file.mydom.com # ftp dns

  ##  DMZ Hosts
  192.168.99.1   dmz-bb.mydom.com # BBNET noconn 
  192.168.99.2   dmz-post.mydom.com # noconn
  192.168.99.3   dmz-file.mydom.com # noconn

Then, for the BB server on your DMZ, the bb-hosts could be like:

  192.168.1.10   int-bb.mydom.com # BBPAGER BBNET BBDISPLAY noconn

  ## Only machines in the DMZ should appear here
  192.168.99.1   dmz-bb.mydom.com # BBNET dns
  192.168.99.2   dmz-post.mydom.com # smtp pop3
  192.168.99.3   dmz-file.mydom.com # ftp

Strictly speaking, each server only needs the BBNET directive for
their own host entry. It does no harm to include the other one,
though, and it provides useful information.

As I think you've already noticed, you can choose to test the
DMZ network services from the DMZ (as above) or from the internal
network. The first method is "purer", while the second is more
comprehensive as it also tests the operation of the firewall.
Which option is more suitable, depends entirely on your own
needs. As a guide, I usually test any service that is normally
accessed from the internal network (and so will already have a
"hole" configured on the firewall) from the inside. Anything else,
I would test from the DMZ machine.

Another thing that may be worth considering is the need for
any connectivity testing at all on the DMZ. If each of the
DMZ machines is providing network services that can be
accessed from the internal network, there is not much to
be gained from being able to differentiate between cases
where the service has stopped and  those where the power or
network cable has been disconnected. The extra complexity may,
or may not, be justified for your situation.

Cheers, Phil.

-- 
The most dangerous thing in the combat zone is an officer with
a map.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.

Follow-Ups:
- Re: {bb} Multiple BBNET servers
  - From: Ryan Novosielski <novosirj@umdnj.edu>

References:
- {bb} Multiple BBNET servers
  - From: Ryan Novosielski <novosirj@umdnj.edu>
- Re: {bb} Multiple BBNET servers
  - From: Philip Clark <bblist@cannae.uklinux.net>
- Re: {bb} Multiple BBNET servers
  - From: Ryan Novosielski <novosirj@umdnj.edu>

Prev by Date: Re: {bb} Multiple BBNET servers
Next by Date: Re: {bb} Multiple BBNET servers
Previous by thread: Re: {bb} Multiple BBNET servers
Next by thread: Re: {bb} Multiple BBNET servers
Index(es):
- Date
- Thread

Home | Main Index | Thread Index