From: netfilter@buglecreek.com
To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: netfilter <netfilter@vger.kernel.org>
Subject: Re: FORWARD chain and Interfaces
Date: Sun, 22 May 2011 13:06:47 -0600 [thread overview]
Message-ID: <1306091207.21990.1454736533@webmail.messagingengine.com> (raw)
In-Reply-To: <4DD8CDE8.505@plouf.fr.eu.org>
On Sun, 22 May 2011 10:48 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> netfilter@buglecreek.com a écrit :
> > On Sun, 22 May 2011 00:05 +0200, "Pascal Hambourg"
> >>
> >> How then do you know which interface of the router is connected to which
> >> network ?
> >
> > I'm basing the router connections to the various networks by the IP
> > addresses and network Addresses.
>
> That is not enough. The virtualization system (Parallels for you) deals
> only with the link (ethernet) layer, not the IP layer. You can set up
> multiple IP subnets on the same link but they are not isolated.
>
> > Sending a broadcast packet (good idea) from network B I see the packet
> > show up at network A machine and on both interfaces of the firewall. I
> > even see the packets show up on network A when the firewall/router is
> > turned off.
>
> So all interfaces are connected to the same link, just as I thought.
>
> > Both Net A and Net B are assigned IPs on two entirely
> > different networks. Obviously, this is not the expected behavior.
>
> It is expected behaviour when all interfaces are connected to the same
> link. Think as if all interfaces are connected to the same switch and
> you didn't define separate VLANs.
>
> Ideally you need to set up two separate virtual links and define which
> interface is connected to which link. Other options include :
>
> a) Use tagged VLAN interfaces (see vconfig). This requires only one
> ethernet interface on the router. E.g. :
> VLAN 1 for network A, machines use eth0.1
> VLAN 2 for network B, machines use eth0.2
>
> b) Set /proc/sys/net/ipv4/all/arp_ignore to 1 on the router so each
> interface replies only to ARP requests for its own address. This way the
> other machines will send packets only to the correct interface.
>
> Note that these options do not provide the same level of security as
> separate links.
>
Good information. I only use virtualization on a intermittent basis and
then only to test various things when I am not able to use other means.
Normally what you describe above is not a big issue since I'm usually
not trying to route packets between virtual machines. I'll look at some
of the solutions you outline above for future test scenarios.
Appreciate the help figuring out why I was seeing the "strange"
behavior.
prev parent reply other threads:[~2011-05-22 19:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-21 6:10 FORWARD chain and Interfaces netfilter
2011-05-21 7:37 ` Andrew Beverley
2011-05-21 11:23 ` Pascal Hambourg
2011-05-21 19:49 ` netfilter
2011-05-21 20:51 ` Pascal Hambourg
2011-05-21 21:40 ` netfilter
2011-05-21 22:05 ` Pascal Hambourg
2011-05-21 22:31 ` netfilter
2011-05-22 8:48 ` Pascal Hambourg
2011-05-22 19:06 ` netfilter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1306091207.21990.1454736533@webmail.messagingengine.com \
--to=netfilter@buglecreek.com \
--cc=netfilter@vger.kernel.org \
--cc=pascal.mail@plouf.fr.eu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox