Re: Proposal to apply mask to IP address set on rule

[Christoph Badura <bad%bsd.de@localhost>]

On Sat, May 24, 2025 at 01:23:41PM +0200, Martin Neitzel wrote:
> GT> So far nobody has given examples of actual misconfigurations that would
> GT> benefit from warnings.
> 
> Let's firewall a subnet for 16 hosts -- QUICK!:
> Is 192.168.33.136/28 on a /28 boundary or not?

I see what mean.  And I've seen that happen.

I can't even answer your question "QUICK!".  I've never been able to
convert number to bit patterns instantly, it's always a slow process for
me.

On the other hand, if someone asks you to make a risky change QUICK! and
to forego due diligence that's on them and you and not on the tool.

And I haven't seen a situation where someone wanted such a change
quickly where the situation hadn't been going on for at least half an
hour.  There was never a good and justifiable reason to fix it within
seconds.

Warnings might be nice.  If you do stuff interactively.  But warnings
tend do be ignored.  Especially under automation.

I can imagine that some kind of validation mode or maby an option that
turns such warnings into an error (and causes the program to exit with
non-zero status!) could be useful, though.

Or perhaps some kind of i-mean-it indicator in the configuration syntax
that makes the warning disappear.

--chris