Comment 4 for bug 1627093

Revision history for this message
Gustavo Niemeyer (niemeyer) wrote :

This feels like an assumption that will create more awkward problems than it will solve.

A machine with an IP in the local network cannot be contacted from the outside without a route. So either the machine is already on a public IP, in which case constraining it to the public IP range doesn't help, or the machine is in a NATed address which would not be accessible anyway.

Then, even if the machine is in the local network, that doesn't make it secure, so we must be aware of the attack vectors and plan accordingly regardless.

So it feels like the sort of solution people will need to read the documentation to disable because we forgot about N cases which are not covered, while not in fact making it any more secure.