Allowing too much - what a fool!
Posted: Sat Oct 27, 2012 2:07 pm
I just discovered that through a slip up, a machine that I thought was locked down was wide open.
For the purposes of this, pretend that our network range is 1.1.1.128/26
We have a set of hardware nodes, each running a number of virtual machines each with their own IP addresses. We use APF as a firewall script on the VMs.
On one of the virtual machines - lets say 1.1.1.150, I had set a firewall rule to allow, both as a source and destination IP, 1.1.1.128/26 for both incoming and outgoing packets. The idea was to make sure all the systems within the network could communicate with .150 without any problems.
This was done by adding "1.1.1.128/26" in APF's allow_host.rules file.
Haha! What a fool!
The point here is that 1.1.1.128/26 includes .150, and by not being specific about what I wanted to allow (e.g. I should have just allowed 1.1.1.128/26 as a source address by using s=1.1.1.128/26 in allow_host.rules), I was basically saying allow all from all for .150 (the machine I was trying to protect).
Stupid, stupid, stupid
Luckily no harm was done. But it could have been very different! This is actually the second time I've done this too. You'd think I'd have learned from the first time!
For the purposes of this, pretend that our network range is 1.1.1.128/26
We have a set of hardware nodes, each running a number of virtual machines each with their own IP addresses. We use APF as a firewall script on the VMs.
On one of the virtual machines - lets say 1.1.1.150, I had set a firewall rule to allow, both as a source and destination IP, 1.1.1.128/26 for both incoming and outgoing packets. The idea was to make sure all the systems within the network could communicate with .150 without any problems.
This was done by adding "1.1.1.128/26" in APF's allow_host.rules file.
Haha! What a fool!
The point here is that 1.1.1.128/26 includes .150, and by not being specific about what I wanted to allow (e.g. I should have just allowed 1.1.1.128/26 as a source address by using s=1.1.1.128/26 in allow_host.rules), I was basically saying allow all from all for .150 (the machine I was trying to protect).
Stupid, stupid, stupid
Luckily no harm was done. But it could have been very different! This is actually the second time I've done this too. You'd think I'd have learned from the first time!