- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Fri, 08 Apr 2011 15:58:45 +0000
- To: Willy Tarreau <w@1wt.eu>
- cc: Andreas Petersson <andreas@sbin.se>, Mark Nottingham <mnot@mnot.net>, "Thomson, Martin" <Martin.Thomson@commscope.com>, Karl Dubost <karld@opera.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
In message <20110408153631.GD13348@1wt.eu>, Willy Tarreau writes: >On Fri, Apr 08, 2011 at 02:08:09PM +0000, Poul-Henning Kamp wrote: >> And then we SHOULD strongly encourage that they follow this form: >> >> src-IP ':' src-port [ '/' dst-IP ':' dst-port ] > >While I agree with the principle, I would render the port optional. >It's almost always wrong anyway because you have the equipments in >the following order : > > client > firewall > load balancer > reverse-proxy > ... > server > >The load balancer almost always translates the source port (unless it's >doing DSR, which is progressively disappearing), and nobody car correlate >this source port seen by the reverse-proxy to anything logged anywhere. >So while there are *some* situations where the port can be exploited, i >practice where admins do care about logs, it's meaningless. You overlooked the bit about it only having meaning in the context where it was generated. To derive that meaning, you will need to investigate logs from firewalls, load balancers and everything else. But IP+port is what identifies the far end, and is the only handle you can give the police for the remote end. What the remote end or the police can do with it, is their problem So we should log the port number, always. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 8 April 2011 15:59:10 UTC