MirrorACLRequirements
Jason Fesler edited this page Jul 24, 2019
·
3 revisions
This documents what it takes to run a full mirror, in terms of ACLs.
Name | Description |
---|---|
$SERVER | IP address(es) of the mirror site(s) |
$JFESLER | 216.218.228.112/28 ; 216.218.223.248/28; 2001:470:1:18::/64 ; 2001:470:1f05:479::/64 |
$JFESLER
acls are only needed, if jfesler is being given operational control. This will permit publishing code updates as part of standard test-ipv6.com deployments.
Rule | Description |
---|---|
permit tcp4 from any to $SERVER 80 |
HTTP serving |
permit tcp6 from any to $SERVER 80 |
HTTP serving |
permit tcp4 from $JFESLER to $SERVER 22 |
SSH administration |
permit tcp4 from $JFESLER to $SERVER 22 |
SSH administration |
permit udp6 from any to $SERVER 53 |
DNS serving |
permit icmp from any to $SERVER |
ICMP |
permit icmp6 from any to $SERVER |
ICMPv6 |
Rule | Description |
---|---|
permit tcp4 from any to any tcp-established |
wget, rsync, etc clients |
permit tcp6 from any to any tcp-established |
wget, rsync, etc clients |
permit udp4 from $SERVER 53 to any 1023+ |
DNS client ; can alternately point to existing DNS resolvers |
permit udp6 from $SERVER 53 to any 1023+ |
DNS client ; can alternately point to existing DNS resolvers |
Rule | Description |
---|---|
permit tcp4 from $SERVER 80 to any |
HTTP |
permit tcp6 from $SERVER 80 to any |
HTTP |
permit tcp4 from $SERVER 22 to any |
SSH administration |
permit tcp6 from $SERVER 22 to any |
SSH administration |
permit udp6 from $SERVER 53 to any |
DNS auth for "v6ns" test |
permit icmp fro $SERVER to any |
ICMP |
permit icmp6 from $SERVER to any |
ICMPv6; in particular MUST allow type 2 packet-too-big |
Rule | Description |
---|---|
permit tcp4 from $SERVER to any |
wget, rsync etc clients |
permit tcp6 from $SERVER to any |
wget, rsync etc clients |
permit udp4 from $SERVER 1023+ to any 53 |
DNS client; can alternately point to existing dns resolvers |
permit udp6 from $GSERVER 1023+ to any 53 |
DNS client; can alternately point to existing dns resolvers |
-
Install - Installation Outline
- DownloadOptions
- InstallDNS
- InstallApachePHP
- InstallModIP
- InstallContent
- InstallApacheVirtualHost
- InstallProjectConfigFile
- InstallCharts (Optional)
- InstallPMTUD
- Validation
- BecomeAnOfficialMirror (Recommended)
- TransparentMirror (Appreciated!)
- SSL-and-HTTP-2-plans
- Developers
- Community
- New Mirrors
- Working notes