From: William Herrin (no email)
Date: Thu Jan 03 2008 - 12:53:24 EST
On Jan 3, 2008 11:25 AM, Tim Franklin <> wrote:
> Only assuming the nature of your mistake is 'turn it off'.
>
> I can fat-finger a 'port-forward *all* ports to important internal
> server', rather than just '80/TCP' pretty much exactly as easily as I can
> fat-finger 'permit *all* external to important internal server' rather
> than just '80/TCP'.
Tim,
While that's true of firewalled servers that are intended to provide
services to the Internet at large, the vast majority of equipment
behind a typical NAT firewall provides no services whatsoever to the
Internet and do not each map to their own global IP address. They are
client PCs and a scattering of LAN servers.
You can fat-finger "allow all ports inbound" in a stateful firewall
far easier than you fat finger "translate a bank of global IP
addresses I don't actually have on a one-to-one basis to this large
list of local-scope IP addresses -and- allow all ports inbound" in a
NAT firewall. Actually, the latter is pretty hard to configure at all,
let alone fat-finger by mistake.
> I'll grant the 'everything is disconnected' case is easier to spot, though
> - especially if you don't have proper change management to test that the
> change you made is the change you think you made.
Do you mean to tell me there's actually such a thing as a network
engineer who creates and uses a test plan every single time he makes a
change to every firewall he deals with? I thought such beings were a
myth, like unicorns and space aliens!
Regards,
Bill Herrin
-- William D. Herrin 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
|
|
|