From: Erik Enge <eenge@prium.net>
To: netfilter@lists.netfilter.org
Subject: If eth0 goes down after a reboot, rules for it will be applied to eth1.
Date: 11 Sep 2002 09:42:15 -0400 [thread overview]
Message-ID: <87sn0g4p8o.fsf@prium.net> (raw)
Hi all.
I have a question about how ethernet cards work. I send it here because
I'm thinking that this community probably has dealt with it before, as
it seems to me to be an obvious problem (with no apparent solution to
me; hence this email).
Let's assume I have a firewall with three NICs. As we know, the
ethernet cards under Unix (I'm running Linux 2.4) are assigned eth0/1/2
and so on based on the bus number the BIOS gives them. My setup is as
follows:
NIC 1, eth0, DMZ interface [somewhat laid-back firewall rules]
NIC 2, eth1, LAN interface [very strict firewall rules]
NIC 3, eth2, router interface [basically FORWARDs everything]
NIC 4, eth3, external interface [basically FORWARDs everything]
Now, say we take down the firewall for some reason, and upon it coming
back up eth0 dies. The bus assigning will then be a bit different, and
so will eth0/1/2 and so on (which is what the firewall rules are set
against).
This means that I could end up in a situation where my laid-back DMZ
rules were applied to my LAN interface and my external interface would
still work, because it would take the eth2 which is pretty laid-back.
The only thing that wouldn't work (which would trigger me that something
was wrong) is that I can't access the DMZ and my router interface.
However, if I'm unlucky, some cracker might have enough time to intrude
into my, now completely open, LAN interface and its associated network.
So, my question then, is how do you guys deal with this? Is there a way
to ensure that the card in slot such-and-such is assigned eth1 every
single time, even if the card assigned to eth0 dies? Or is there
another and perhaps better solution to all this?
Thanks for any replies,
Erik Enge.
next reply other threads:[~2002-09-11 13:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-11 13:42 Erik Enge [this message]
2002-09-11 14:05 ` If eth0 goes down after a reboot, rules for it will be applied to eth1 Antony Stone
2002-09-11 17:19 ` Michael H.Collins
2002-09-11 18:19 ` Lists
2002-09-11 18:32 ` Antony Stone
2002-09-12 4:11 ` Lists
-- strict thread matches above, loose matches on Subject: below --
2002-09-11 16:14 Erik Enge
2002-09-11 17:44 ` Antony Stone
2002-09-11 18:25 ` Erik Enge
2002-09-11 18:47 ` Antony Stone
2002-09-11 20:21 ` Erik Enge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sn0g4p8o.fsf@prium.net \
--to=eenge@prium.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox