Bug#912524: snapshot.debian.org is unreachable from (apparently) 18.128.0.0/9
- To: Peter Palfrader <weasel@debian.org>, 912524@bugs.debian.org, Jeremy Apthorp <jeremya@chromium.org>
- Cc: Noah Meyerhans <noahm@debian.org>, Mike Hommey <mh+reportbug@glandium.org>
- Subject: Bug#912524: snapshot.debian.org is unreachable from (apparently) 18.128.0.0/9
- From: Julien Cristau <jcristau@debian.org>
- Date: Mon, 21 Oct 2019 15:29:28 +0200
- Message-id: <[🔎] 20191021132928.GA19207@jcristau-z4>
- Reply-to: Julien Cristau <jcristau@debian.org>, 912524@bugs.debian.org
- In-reply-to: <20181102091512.wtxmyorlgxjghvmt@sarek.noreply.org>
- References: <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org> <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org> <20181102041753.jdcqysoosdiuo5pb@ctrl.internal.morgul.net> <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org> <20181102052518.rhs6yui5z7vibn7n@ctrl.internal.morgul.net> <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org> <20181102091512.wtxmyorlgxjghvmt@sarek.noreply.org> <154103321167.27271.738828882358740663.reportbug@mitsuha.glandium.org>
On Fri, Nov 02, 2018 at 09:15:12AM +0000, Peter Palfrader wrote:
> On Thu, 01 Nov 2018, Noah Meyerhans wrote:
>
> > It was pointed out on IRC that this is intentional, per
> > https://salsa.debian.org/dsa-team/mirror/dsa-puppet/blob/master/modules/roles/manifests/snapshot_web.pp
> >
> > IMO blocking random (and large) chunks of EC2 is not a good idea, as the
> > collateral impact is potentially huge. I'd like to suggest a more
> > targeted way of throttling individual clients that doesn't have such
> > broad impact. The iptables connlimit module comes to mind, but there are
> > undoubtedly other options.
>
> It's not random. Still, I agree that blocking large chunks is not
> ideal.
>
> We would welcome you working with us on finding actual rate limiting
> configurations that work. So far, many have suggested but nobody has
> actually delivered anything.
I have tentatively removed the block on AWS in
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/commit/6510538f5a1a525e62e85be0d887c1f1b3e0e3fd
We'll see how that goes.
Cheers,
Julien
Reply to: