North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Assigning IPv6 /48's to CPE's?
On Jan 3, 2008 11:25 AM, Tim Franklin <[email protected]> wrote: > Only assuming the nature of your mistake is 'turn it off'. > > I can fat-finger a 'port-forward *all* ports to important internal > server', rather than just '80/TCP' pretty much exactly as easily as I can > fat-finger 'permit *all* external to important internal server' rather > than just '80/TCP'. Tim, While that's true of firewalled servers that are intended to provide services to the Internet at large, the vast majority of equipment behind a typical NAT firewall provides no services whatsoever to the Internet and do not each map to their own global IP address. They are client PCs and a scattering of LAN servers. You can fat-finger "allow all ports inbound" in a stateful firewall far easier than you fat finger "translate a bank of global IP addresses I don't actually have on a one-to-one basis to this large list of local-scope IP addresses -and- allow all ports inbound" in a NAT firewall. Actually, the latter is pretty hard to configure at all, let alone fat-finger by mistake. > I'll grant the 'everything is disconnected' case is easier to spot, though > - especially if you don't have proper change management to test that the > change you made is the change you think you made. Do you mean to tell me there's actually such a thing as a network engineer who creates and uses a test plan every single time he makes a change to every firewall he deals with? I thought such beings were a myth, like unicorns and space aliens! Regards, Bill Herrin -- William D. Herrin [email protected] [email protected] 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
|