Re: OT: curious about eth0/eth1

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joel Newkirk <netfilter@newkirk.us>
To: Tommy McNeely <Tommy.McNeely@Sun.COM>, netfilter@lists.netfilter.org
Subject: Re: OT: curious about eth0/eth1
Date: Tue, 7 Jan 2003 22:47:24 -0500	[thread overview]
Message-ID: <200301072247.24369.netfilter@newkirk.us> (raw)
In-Reply-To: <6620000.1041983993@leverage>

On Tuesday 07 January 2003 06:59 pm, Tommy McNeely wrote:
> I am curious about why people choose to make a certain interface
> internal or external...

> I notice several people pick eth0 as their outside interface, and
> sorta "oh yea" the rest of the inside network is on eth1.  I know the
> linux kernel could really care less what they are called, its mostly a
> "neatness" thing I guess... Also it seems like that leaves your box
> open to attack from the time it installs (if you do a NET based
> install) till the time you get around to actually putting a firewall
> on it.

Why would this in particular leave a box exposed?

I think that the main reason for 'some one way, some the other' is random 
chance.  However, consider this scenario:

You have two NICs, eth0 and eth1. The connections on one you trust (-i 
eth0 -j ACCEPT), the other you don't.  One of them fails, or the board 
works loose from it's socket, or something, so that upon booting the 
machine you only have one interface.  No matter which board fails, the 
remaining board would be eth0.  If eth0 is your 'trusted' internal 
network in normal conditions, and it fails, then suddenly the untrusted 
network is operating under the trusted network's rules.  However, the IP 
assignment (if static!) would remain that of the trusted network, so as 
long as eth0 is configured with a static IP this shouldn't present a 
risk.  If, however, both are dynamic, (say DHCP assigned) then this 
would qualify as a security hole, possibly a huge one.  To be fair, this 
is probably a very rare intersection of situations, but if eth0 is the 
untrusted network, then any failure would be an annoyance, not a risk.

j

next prev parent reply	other threads:[~2003-01-08  3:47 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-01-07 23:59 OT: curious about eth0/eth1 Tommy McNeely
2003-01-08  3:47 ` Joel Newkirk [this message]
2003-01-08  8:21   ` Arnt Karlsen
2003-01-08 16:27   ` Tommy McNeely
2003-01-08 11:40 ` Maciej Soltysiak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200301072247.24369.netfilter@newkirk.us \
    --to=netfilter@newkirk.us \
    --cc=Tommy.McNeely@Sun.COM \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.