Hacker News new | past | comments | ask | show | jobs | submit login
Support Diary: The LAN of 16M Hosts (prgmr.com)
48 points by todsacerdoti on July 19, 2020 | hide | past | favorite | 11 comments



I had a $cow-orker who once did the exact same thing -- configured an interface to use a /8 subnet mask -- except it was on the new Cisco ASA firewall we were deploying for one of our customers (a government water utility) and it wasn't a stupid default; he explicitly configured the wrong subnet mask and told the ASA that there were ~16.7 million other devices directly connected to that particular interface!

Not surprisingly, they experienced various problems over the next few weeks due to "the firewall" -- including breaking the application they used to provide their vendor remote access for monitoring and maintenance! That had the biggest impact but there were also various web sites they couldn't access, they lost the ability to send and receive e-mails from some other organizations they worked closely with, and so on. Oh, and either Pandora or Spotify (I don't remember which) also stopped working -- she could deal with some of the other stuff but the manager of the organization was NOT happy about that one!

Eventually, a few weeks after the firewall replacement, I was asked to go investigate the issues they had been experiencing since the new firewall had been installed, quickly noticed the incorrect configuration on the interface, and became the hero to everyone (well, except for my $boss, who had to reimburse them for ~27 hours (IIRC) of on-site time, but that's another story).

Subnet masks matter!


Totally unrelated to the actual post and apologies for what is arguably spam, but I would love to give a shout-out to prgmr for being the best VPS hosting company I've ever used. I've been with them since early 2011 and run all my most critical personal services (email, static web, etc) on prgmr machines. I particularly enjoy how VPS management (including OOB!) is done through SSH with a pubkey you supply on the billing site: https://i.imgur.com/ckRJzDW.png

I don't record any reliability stats, but I can't remember a time one of my VPSes was down without being announced first. Reboots and downtime do happen because they are extremely on top of Xen security patches, hardware maintenance, and everything else. My favorite prgmr email was last year when a scheduled maintenance got postponed by two days only six hours before it was planned and they sent me an email apologizing that my machine wasn't down just in case I had already planned around it: https://i.imgur.com/yusTBPG.png

Full disclosure: one (only one!) of my prgmr VPSes is billed to me at $0/month because I helped get FreeBSD Xen/PV running at prgmr way back in the FreeBSD 9.0 days when FreeBSD Xen/HVM was rather unusable. These days PV isn't even an option (afaict) for prgmr's VPS and the newest HVM-mode FreeBSD is available straight from them in the management console as a first-class OS alongside CentOS and friends. If that arrangement ever ends I will immediately switch to paying for the same machine and wouldn't even consider shopping around first :)


Seconded :-) I have been hosting a forum for a small group of friends since 2004 with them, and more recently (on the same VPS) a tumblelog [0]. Would certainly recommend them.

[0] https://plurrrr.com/


I find it a bit surprising that classful networks is not common knowledge. I guess it's just a sign that times have changed. This was a basic thing I learn when I first learned about subnets.


I find it a bit surprising in how many teaching materials you find it still, despite being outdated knowledge for a long time now :D


> outdated knowledge

Personally I never totally 'got' CIDR until I went back and learned what it replaced and why it was needed.


TL;DR - we'd like someone to add warnings to ifconfig etc. if no netmask is supplied. I could do it but don't have the time.


That's not a very good summary at all. Most of the article is on the history/evolution of Internet addressing.


Either way it's not a story of someone actually building a single broadcast domain with millions of hosts on


It's not a summary by number of words, but it if someone doesn't want to read the article, it's what I want them to be aware of.

It's frustrating the number of silly things you can do at the command line that persist for backwards compatibility reasons. But we can at least add warnings for them. It would have been much better for the user to have been told at the time they failed to add a netmask that they made a mistake. It would have removed the need for the support ticket entirely (at least, one hopes so.)

mkswap is another example of this. Karel Zak had thoughtfully added warnings in swapon already if you enabled swap with insecure permissions https://git.kernel.org/pub/scm/utils/util-linux/util-linux.g... but nobody had bothered to warn at the time the swap file was actually created. So I had someone add that: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.g...


Maybe just default to /24. That is a fairly sensible default and anyone who wants something different should be smart enough to specify a mask.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: