tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Proposal to apply mask to IP address set on rule
GT> So far nobody has given examples of actual misconfigurations that would
GT> benefit from warnings.
Let's firewall a subnet for 16 hosts -- QUICK!:
Is 192.168.33.136/28 on a /28 boundary or not?
I have seen enough cases, both with firewalls and routing tables,
where an admin intended a network spec but got it wrong. At least
a warning that the the above net is not covering 192.168.33.136-.151 but
really .128-.143 is helpful, especially in a security context.
I certainly welcome the option to apply "neighbourhood" expressions
such as "192.168.64.7/24" in ad-hoc tcpdumps and quick firewall entries
as much as you do.
I just want to note that the above mistakes DO happen, too.
> If other people really want to be warned because they think this will
> catch other mistakes (when writing rules to match site-local subnets?),
> then I could see warnings being configurable, so that those people could
> have warnings, and people that think it's ok to write fulladdr/length
> won't.
Yes: configurable warnings would be best.
Martin
Home |
Main Index |
Thread Index |
Old Index