On Mar 30, 2011, at 2:49 PM, Tracy Reed wrote: > Never, not once in my 17 year career managing firewalls, have I found > that a misconfigured firewall was accidentally forwarding. Have you?
Yes. I've found places where someone fat-fingered an ALLOW rule and had accidentally allowed MUCH larger swathes of the internet to connect to a host than they thought they had. > The > fact that you had RFC1918 address space behind it shouldn't matter in > answering the question: WOULD it have ever forwarded if you had routable > IPs behind it? Did RFC1918 ever really save you? And if not, why hold > onto it? If I never had a specific rule "forward a connection inward to $PRIVATE_IP_OF_SERVER", then the level of fat-fingering required for an inward NAT rule to spring into existence is significantly higher than for the amount needed to accidentally open a wider-hole-than-average to routable addresses. IE, in a publicly-routeable address scenario, all that has to happen is for a single allow rule to be miswritten, and you can accidentally expose your entire infrastructure. In a NAT'ed world, it requires both a misconfigured allow rule *AND* the accidental creation of static-NAT inward-mappings. So, it stands to reason that the *former* error-mode, requiring only one concurrent error, is more likely than the *latter* error mode, requiring two or more concurrent errors. And if you can place an additional road-block or speed-bump into the path of a potential security violation, why wouldn't you do so? D _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
