From: Tommy McNeely <Tommy.McNeely@Sun.COM>
To: netfilter@newkirk.us, netfilter@lists.netfilter.org
Subject: Re: OT: curious about eth0/eth1
Date: Wed, 08 Jan 2003 09:27:57 -0700 [thread overview]
Message-ID: <88830000.1042043277@leverage> (raw)
In-Reply-To: <200301072247.24369.netfilter@newkirk.us>
Joel,
You pose an interesting case, one to which I had certainly not thought of,
but as my "firewall" is generally the DHCP server for the internal network
(among other things) it pretty much has to have a static IP configured for
eth0.
On a side note... the case you speak of is easily averted by using
different cards :)
[root@pickles root]# cat /etc/modules.conf
alias parport_lowlevel parport_pc
alias eth0 3c59x
alias eth1 eepro100
alias eth2 tulip
anyhow.. I am glad folks are responding.. I think its an interesting topic
:)
Tommy
--On Tuesday, January 07, 2003 10:47:24 PM -0500 Joel Newkirk
<netfilter@newkirk.us> wrote:
> On Tuesday 07 January 2003 06:59 pm, Tommy McNeely wrote:
>> I am curious about why people choose to make a certain interface
>> internal or external...
>
>> I notice several people pick eth0 as their outside interface, and
>> sorta "oh yea" the rest of the inside network is on eth1. I know the
>> linux kernel could really care less what they are called, its mostly a
>> "neatness" thing I guess... Also it seems like that leaves your box
>> open to attack from the time it installs (if you do a NET based
>> install) till the time you get around to actually putting a firewall
>> on it.
>
> Why would this in particular leave a box exposed?
>
> I think that the main reason for 'some one way, some the other' is random
> chance. However, consider this scenario:
>
> You have two NICs, eth0 and eth1. The connections on one you trust (-i
> eth0 -j ACCEPT), the other you don't. One of them fails, or the board
> works loose from it's socket, or something, so that upon booting the
> machine you only have one interface. No matter which board fails, the
> remaining board would be eth0. If eth0 is your 'trusted' internal
> network in normal conditions, and it fails, then suddenly the untrusted
> network is operating under the trusted network's rules. However, the IP
> assignment (if static!) would remain that of the trusted network, so as
> long as eth0 is configured with a static IP this shouldn't present a
> risk. If, however, both are dynamic, (say DHCP assigned) then this
> would qualify as a security hole, possibly a huge one. To be fair, this
> is probably a very rare intersection of situations, but if eth0 is the
> untrusted network, then any failure would be an annoyance, not a risk.
>
> j
>
>
>
--
Tommy McNeely -- Tommy.McNeely@Sun.COM
Sun Microsystems - IT Ops - Broomfield Campus Support
Phone: x50888 / 303-464-4888 -- Fax: 720-566-3168
next prev parent reply other threads:[~2003-01-08 16:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-07 23:59 OT: curious about eth0/eth1 Tommy McNeely
2003-01-08 3:47 ` Joel Newkirk
2003-01-08 8:21 ` Arnt Karlsen
2003-01-08 16:27 ` Tommy McNeely [this message]
2003-01-08 11:40 ` Maciej Soltysiak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=88830000.1042043277@leverage \
--to=tommy.mcneely@sun.com \
--cc=netfilter@lists.netfilter.org \
--cc=netfilter@newkirk.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox