tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Proposal to apply mask to IP address set on rule



GT> So far nobody has given examples of actual misconfigurations that would
GT> benefit from warnings.

Let's firewall a subnet for 16 hosts -- QUICK!:
Is 192.168.33.136/28 on a /28 boundary or not?

I have seen enough cases, both with firewalls and routing tables,
where an admin intended a network spec but got it wrong.  At least
a warning that the the above net is not covering 192.168.33.136-.151 but
really .128-.143 is helpful, especially in a security context.

I certainly welcome the option to apply "neighbourhood" expressions
such as "192.168.64.7/24" in ad-hoc tcpdumps and quick firewall entries
as much as you do.

I just want to note that the above mistakes DO happen, too.

> If other people really want to be warned because they think this will
> catch other mistakes (when writing rules to match site-local subnets?),
> then I could see warnings being configurable, so that those people could
> have warnings, and people that think it's ok to write fulladdr/length
> won't.

Yes:  configurable warnings would be best.

							Martin


Home | Main Index | Thread Index | Old Index