nanog mailing list archives
Re: Assigning IPv6 /48's to CPE's?
From: "William Herrin" <herrin-nanog () dirtside com>
Date: Thu, 3 Jan 2008 12:53:24 -0500
On Jan 3, 2008 11:25 AM, Tim Franklin <tim () pelican org> wrote:
Only assuming the nature of your mistake is 'turn it off'. I can fat-finger a 'port-forward *all* ports to important internal server', rather than just '80/TCP' pretty much exactly as easily as I can fat-finger 'permit *all* external to important internal server' rather than just '80/TCP'.
Tim, While that's true of firewalled servers that are intended to provide services to the Internet at large, the vast majority of equipment behind a typical NAT firewall provides no services whatsoever to the Internet and do not each map to their own global IP address. They are client PCs and a scattering of LAN servers. You can fat-finger "allow all ports inbound" in a stateful firewall far easier than you fat finger "translate a bank of global IP addresses I don't actually have on a one-to-one basis to this large list of local-scope IP addresses -and- allow all ports inbound" in a NAT firewall. Actually, the latter is pretty hard to configure at all, let alone fat-finger by mistake.
I'll grant the 'everything is disconnected' case is easier to spot, though - especially if you don't have proper change management to test that the change you made is the change you think you made.
Do you mean to tell me there's actually such a thing as a network engineer who creates and uses a test plan every single time he makes a change to every firewall he deals with? I thought such beings were a myth, like unicorns and space aliens! Regards, Bill Herrin -- William D. Herrin herrin () dirtside com bill () herrin us 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- RE: Assigning IPv6 /48's to CPE's?, (continued)
- RE: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- RE: Assigning IPv6 /48's to CPE's? michael.dillon (Jan 03)
- RE: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Chris Adams (Jan 03)
- RE: Assigning IPv6 /48's to CPE's? michael.dillon (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Mark Andrews (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Donald Stahl (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? William Herrin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Tim Franklin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? William Herrin (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Mark Smith (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Vinny Abello (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 03)
- Re: Assigning IPv6 /48's to CPE's? Rick Astley (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? James Hess (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 04)
- Re: Assigning IPv6 /48's to CPE's? Jeff Aitken (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? Valdis . Kletnieks (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? Deepak Jain (Jan 07)
- Re: Assigning IPv6 /48's to CPE's? John Dupuy (Jan 07)