If eth0 goes down after a reboot, rules for it will be applied to eth1.

If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Erik Enge]

Hi all.

I have a question about how ethernet cards work.  I send it here because
I'm thinking that this community probably has dealt with it before, as
it seems to me to be an obvious problem (with no apparent solution to
me; hence this email).

Let's assume I have a firewall with three NICs.  As we know, the
ethernet cards under Unix (I'm running Linux 2.4) are assigned eth0/1/2
and so on based on the bus number the BIOS gives them.  My setup is as
follows:

  NIC 1, eth0, DMZ interface [somewhat laid-back firewall rules]
  NIC 2, eth1, LAN interface [very strict firewall rules]
  NIC 3, eth2, router interface [basically FORWARDs everything]
  NIC 4, eth3, external interface [basically FORWARDs everything]

Now, say we take down the firewall for some reason, and upon it coming
back up eth0 dies.  The bus assigning will then be a bit different, and
so will eth0/1/2 and so on (which is what the firewall rules are set
against).

This means that I could end up in a situation where my laid-back DMZ
rules were applied to my LAN interface and my external interface would
still work, because it would take the eth2 which is pretty laid-back.
The only thing that wouldn't work (which would trigger me that something
was wrong) is that I can't access the DMZ and my router interface.
However, if I'm unlucky, some cracker might have enough time to intrude
into my, now completely open, LAN interface and its associated network.

So, my question then, is how do you guys deal with this?  Is there a way
to ensure that the card in slot such-and-such is assigned eth1 every
single time, even if the card assigned to eth0 dies?  Or is there
another and perhaps better solution to all this?

Thanks for any replies,

Erik Enge.

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Antony Stone]

On Wednesday 11 September 2002 2:42 pm, Erik Enge wrote:

> Let's assume I have a firewall with three NICs. 
>
>   NIC 1, eth0, DMZ interface [somewhat laid-back firewall rules]
>   NIC 2, eth1, LAN interface [very strict firewall rules]
>   NIC 3, eth2, router interface [basically FORWARDs everything]
>   NIC 4, eth3, external interface [basically FORWARDs everything]
>
> Now, say we take down the firewall for some reason, and upon it coming
> back up eth0 dies.  The bus assigning will then be a bit different, and
> so will eth0/1/2 and so on (which is what the firewall rules are set
> against).
>
> This means that I could end up in a situation where my laid-back DMZ
> rules were applied to my LAN interface and my external interface would
> still work, because it would take the eth2 which is pretty laid-back.

You're talking about your netfilter rules here (and you're right), but you 
haven't considered what happens to the IP addresses....

The IP address which was supposed to be on the 'real' eth0, which has just 
died, gets applied to what you think is eth1 (even though your computer has 
just decided to rename it eth0 as the first working ethernet card it found).

It is almost inconceivable that the interface connecting you to the outside 
world will deign to communicate with your router (or whatever else is the 
next hop upstream of you) because the IP address, network address, default 
gateway, netmask etc don't match.

Only if you physically plug the new eth0 (old eth1) into whatever the dead 
eth0 used to connect to will the new eth0 actually communicate with anything, 
and of course if you do that to each interface so that it talks, you've got 
your old configuration back again (minus one dead interface).

So, basically I don't think there's anything to worry about.

Antony.

-- 

Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Erik Enge]

On Wed, 11 Sep 2002 15:05:54 +0100, Antony Stone wrote:

> The IP address which was supposed to be on the 'real' eth0, which has
> just died, gets applied to what you think is eth1 (even though your
> computer has just decided to rename it eth0 as the first working
> ethernet card it found).

Correct:

Before death of NIC 1:

  NIC 1, eth0, 192.168.1.1
  NIC 2, eth1, 192.168.1.2
  NIC 3, eth2, 192.168.1.3
  and so on...

After death of NIC 2:

  NIC 1 - dead
  NIC 2, eth0, 192.168.1.2
  NIC 3, eth1, 192.168.1.3
  and so on...

> It is almost inconceivable that the interface connecting you to the
> outside world will deign to communicate with your router (or whatever
> else is the next hop upstream of you) because the IP address, network
> address, default gateway, netmask etc don't match.

I don't follow you.  Let's suppose that the external interface now has
very laid-back rules and still has the same IP address, network address,
default gateway and netmask (because the 'ifconfig' statement wouldn't
have changed).  Why is it inconceivable that that interface wolud
communicate with my router?  I can't see why it wouldn't.

Thanks for your reply,

Erik Enge.

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Michael H.Collins]

I reboot.  seems to me dells are notorious for losing a nic.  in my case
i can usually go out, but nothing gets in.



On 11 Sep 2002 09:42:15 -0400
Erik Enge <eenge@prium.net> spewed into the bitstream:

~Hi all.
~
~I have a question about how ethernet cards work.  I send it here
~because I'm thinking that this community probably has dealt with it
~before, as it seems to me to be an obvious problem (with no apparent
~solution to me; hence this email).


-- 
Michael H. Collins 		Admiral, Penguinista Navy      (o_
http://www.mdrconsult.com	http://www.lrsehosting.com/    //\
http://kpig.com			http://rawdeal.org             V_/_ 
http://www.redhat.com/opensourcenow/ 

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Antony Stone]

On Wednesday 11 September 2002 5:14 pm, Erik Enge wrote:

> Before death of NIC 1:
>
>   NIC 1, eth0, 192.168.1.1
>   NIC 2, eth1, 192.168.1.2
>   NIC 3, eth2, 192.168.1.3
>   and so on...

Ugh !!!   What sort of networking setup have you got here ???

You're *supposed* to put addresses from different subnets onto each 
interface...

What netmasks are you using on these interfaces ?

> > It is almost inconceivable that the interface connecting you to the
> > outside world will deign to communicate with your router (or whatever
> > else is the next hop upstream of you) because the IP address, network
> > address, default gateway, netmask etc don't match.
>
> I don't follow you.  Let's suppose that the external interface now has
> very laid-back rules and still has the same IP address, network address,
> default gateway and netmask (because the 'ifconfig' statement wouldn't
> have changed).  Why is it inconceivable that that interface wolud
> communicate with my router?  I can't see why it wouldn't.

Based on the addresses you've given above, I agree with you, but that looks 
like a very weird way to set up a firewall.   I don't understand how you 
expect your routing tables to work.

Give us more information about your overall network setup, and we'll probably 
either tell you that you've been very lucky with your routing table setup, or 
that you've got more to worry about than one of your NICs dying :-)

Antony.

-- 

If you want to be happy for an hour, get drunk.
If you want to be happy for a year, get married.
If you want to be happy for a lifetime, get a garden.

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Lists]

Erik:

I dont know if this does exactly what you want, but have you tried 
putting a

HWADDR=xx:xx:xx:xx:xx:xx

line into each /etc/sysconfig/network-scripts/ifcfg-ethx
This should tie ethx to the specified mac address. Remember to update if 
you change hardware.

Regards,

gene/


Erik Enge wrote:

>Hi all.
>
>I have a question about how ethernet cards work.  I send it here because
>I'm thinking that this community probably has dealt with it before, as
>it seems to me to be an obvious problem (with no apparent solution to
>me; hence this email).
>
>
>
>  
>

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Erik Enge]

Antony Stone <Antony@Soft-Solutions.co.uk> writes:

> Ugh !!!   What sort of networking setup have you got here ???

A fictional one.  :-)

Here's what we are thinking about doing, with the actual subnets:

  NIC 1, eth0, 192.168.1.0, private LAN
  NIC 2, eth1, 192.168.10.0, DMZ
  NIC 3, eth2, 192.168.11.0, DMZ located elsewhere
  NIC 4, eth3, 10.0.0.0, backup subnet
  NIC 5, eth4, some-other-subnet-that-leads-to-the-internet

> Give us more information about your overall network setup, and we'll
> probably either tell you that you've been very lucky with your routing
> table setup, or that you've got more to worry about than one of your
> NICs dying :-)

:-)

Ok, given the above configuration, and as we discussed before, why is it
inconceivable that the interface would communicate with my router?

Thanks for your help so far,

Erik.

Note: currently, we only have one small firewall with a LAN behind it.
The reason we need this quite elaborate setup (assuming we're not going
to buy any switches) is that we are moving part of our infrastructure to
a colocation.

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Antony Stone]

On Wednesday 11 September 2002 7:19 pm, Lists wrote:

> Erik:
>
> I dont know if this does exactly what you want, but have you tried
> putting a
>
> HWADDR=xx:xx:xx:xx:xx:xx
>
> line into each /etc/sysconfig/network-scripts/ifcfg-ethx
> This should tie ethx to the specified mac address. Remember to update if
> you change hardware.

Sorry, what does this do ?   This looks specific to some distribution to me 
(and not one that I use) so it would be nice to know what happens to that 
information and how it gets integrated with netfilter rules ?

Antony.

-- 

Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Antony Stone]

On Wednesday 11 September 2002 7:25 pm, Erik Enge wrote:

> Antony Stone <Antony@Soft-Solutions.co.uk> writes:
> > Ugh !!!   What sort of networking setup have you got here ???
>
> A fictional one.  :-)

Oh good.   I feel much better about things already.

> Here's what we are thinking about doing, with the actual subnets:
>
>   NIC 1, eth0, 192.168.1.0, private LAN
>   NIC 2, eth1, 192.168.10.0, DMZ
>   NIC 3, eth2, 192.168.11.0, DMZ located elsewhere
>   NIC 4, eth3, 10.0.0.0, backup subnet
>   NIC 5, eth4, some-other-subnet-that-leads-to-the-internet

Very nice.   Very reasonable.   This should work.   I still think you have 
nothing to worry about (as I said in my first reply).

> Ok, given the above configuration, and as we discussed before, why is it
> inconceivable that the interface would communicate with my router?

eth1 has address 192.168.10.1 (I assume), netmask 255.255.255.0, and it's 
expecting to find other machines with the network address 192.168.10.0/24 
connected to it.

One day eth0 dies and eth1 gets reassigned by the Bios / kernel to take over 
the duties of eth0 (however it's still plugged into the same equipment it 
used to be connected to).

So eth1 now has address 192.168.1.1, netmask 255.255.255.0, and expects to 
talk to machines with network address 192.168.1.0/24 connected to it.

If something with address 192.168.10.42 sends out an ARP request for its 
default gateway of 192.168.10.1 (ie the old eth1 which it used to be 
connected to), this interface which now has address 192.168.1.1 isn't going 
to reply, so nothing communicates at the ethernet level (Ramin, I'm not going 
to discuss whether this is layer 1 or layer 2 right now, okay ?)

Similarly, by the time you get up to NIC5, which used to be eth4, and is now 
eth3, you've got eth3 with address 10.0.0.0 (I'll assume this has a netmask 
of 255.0.0.0 for the time being, but it really doesn't matter whether you've 
picked a Class A, B or C for this) plugged into something-that-leads-to-the- 
Internet, but which definitely doesn't have an address starting with 10 (if 
it did, it would have been plugged into NIC4 in the first place).   Therefore 
this interface (NIC5) won't communicate with anything either for the same 
reason.

Basically what happens is that NIC1 dies, all the other NICs get assigned IP 
addresses which are invalid on the networks they're physically connected to, 
and ARP (which is what links the ethernet layer and the IP layer) doesn't 
work any more.   Nothing will talk to anything else until you either repair 
NIC1, or swap all the cables along one position on your firewall, which 
brings you back to the physical configuration you wanted in the first place.

Does this make it clear ?

> Note: currently, we only have one small firewall with a LAN behind it.
> The reason we need this quite elaborate setup (assuming we're not going
> to buy any switches) is that we are moving part of our infrastructure to
> a colocation.

That's no problem.   One day you'll join them up using FreeS/WAN, I hope :-)

Antony.

-- 

Most people have more than the average number of legs.

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Erik Enge]

Antony Stone <Antony@Soft-Solutions.co.uk> writes:

> Does this make it clear?

Ahh, now it all makes sense.

That's so very much for your time.  :-)

Erik.

Re: If eth0 goes down after a reboot, rules for it will be applied to eth1.

[Lists]

Yes sorry you're right - this is redhat specific - I believe it is
consumed by ifup which confirms the mac address matches before it
actually ifup's the interface.Notrhing to do with netfilter really ...

On Wed, 2002-09-11 at 14:32, Antony Stone wrote:
> On Wednesday 11 September 2002 7:19 pm, Lists wrote:
> 
> > .. 
> 
> Sorry, what does this do ?   This looks specific to some distribution to me 
> (and not one that I use) so it would be nice to know what happens to that 
> information and how it gets integrated with netfilter rules ?
> 
> Antony.
>
>