On Sat, 07 Jun 1997 19:40:48 -0400, timh @
net ("Timothy D.J. Hunt")
>At 07:55 AM 6/5/97 -0500, Joe Doetzl wrote:
>>I have a customer who wishes to install a NNTP server. It is likely
>>that they will host internal newsgroups that will need to be protected.
>The problem with the standard news feed is that the standard "IHAVE"
>protocol is a "push" feed
>with the sender connecting to your server. For this to work, your
>news server would need to be in the DMZ.
The other catch with a "push" feed in both directions is that, unless
your ISP sets up some means for you to control the feed (gup, etc)
then you need to call them each time you want changes, etc.
A "pull" feed is arguably harder on the server you're pulling from
than allowing it to feed you at will, but it's more secure, and gives
you control over what you get, *and* gets you out of your ISP's
I've just set up an INN-like server (Nutscrape) on my internal
network, but 'cos my ISP didn't get his act together quick
enough, I wrote my own pull feed.
One perl script that reads the active file for a list of what it
should go get, then calls nntpget for each newsgroup with
date/time parameters it gets from it's own database forms
the basis of the down "pull". A second script reads the spool
list for the upstream news server (that INN tries to contact, but
cannot) and plucks out the articles from the local spool and
posts them back upstream aka regular nntp client.
Security wise, the INN server sits on my internal RFC1597
network, and the firewall and router have been configured to
allow NNTP client access from only the internal news server
and to only my ISP's news server. The firewall uses a
simple plug-gw like proxy to pass the traffic.
Feels nice and safe to me, and it works, with maybe a 5 min
delay before the postings hit the street, which is pretty
much standard anyway...
For what my opinion is worth, the Nutscrape News Server
seems pretty brain dead and inconfigurable to me, but the
one thing I did like was it sent all that recent rash of
"cmsg sendsys" and "send-me-your-passwd-file" control
postings to me and said "Do we really wanna send our
passwd file to this guy?" out of the box :-)