[101420] in North American Network Operators' Group
Re: Assigning IPv6 /48's to CPE's?
daemon@ATHENA.MIT.EDU (William Herrin)
Thu Jan 3 12:54:32 2008
Date: Thu, 3 Jan 2008 12:53:24 -0500
From: "William Herrin" <herrin-nanog@dirtside.com>
To: "Tim Franklin" <tim@pelican.org>
Cc: "Rick Astley" <jnanog@gmail.com>, nanog@merit.edu
In-Reply-To: <2506.90.207.196.5.1199377531.squirrel@webmail.pelican.org>
Errors-To: owner-nanog@merit.edu
On Jan 3, 2008 11:25 AM, Tim Franklin <tim@pelican.org> wrote:
> Only assuming the nature of your mistake is 'turn it off'.
>
> I can fat-finger a 'port-forward *all* ports to important internal
> server', rather than just '80/TCP' pretty much exactly as easily as I can
> fat-finger 'permit *all* external to important internal server' rather
> than just '80/TCP'.
Tim,
While that's true of firewalled servers that are intended to provide
services to the Internet at large, the vast majority of equipment
behind a typical NAT firewall provides no services whatsoever to the
Internet and do not each map to their own global IP address. They are
client PCs and a scattering of LAN servers.
You can fat-finger "allow all ports inbound" in a stateful firewall
far easier than you fat finger "translate a bank of global IP
addresses I don't actually have on a one-to-one basis to this large
list of local-scope IP addresses -and- allow all ports inbound" in a
NAT firewall. Actually, the latter is pretty hard to configure at all,
let alone fat-finger by mistake.
> I'll grant the 'everything is disconnected' case is easier to spot, though
> - especially if you don't have proper change management to test that the
> change you made is the change you think you made.
Do you mean to tell me there's actually such a thing as a network
engineer who creates and uses a test plan every single time he makes a
change to every firewall he deals with? I thought such beings were a
myth, like unicorns and space aliens!
Regards,
Bill Herrin
--
William D. Herrin herrin@dirtside.com bill@herrin.us
3005 Crane Dr. Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
