Vieri Di Paola
2009-Jun-04 16:49 UTC
shorewall on a livecd: best approach to detect interfaces
Hi, I''m in the process of building a custom liveCD that will be used as a firewall/multi-ISP gateway (read-only media). The idea is that the liveCD should boot any x86 system. This implies that the motherboard and NICs may vary (hardware replacement because of system failure). Linux displays ethernet interfaces with the eth* nomenclature and the shorewall interfaces file also uses it. However, I''ve noticed that sometimes, when hardware is changed, the ethernet interfaces don''t show up in the same order. For example, recently I had to change a 4-port D-link NIC with a newer but identical card, on the same machine. On this machine I also have 3 3Com cards. Before replacing the card, "ifconfig -a" displayed the cards in this order: eth0,1,2,4,5,6,7 (a total of 7 interfaces). After the replacement, I had this order: eth0,1,2,3,4,5,6. I don''t know how eth devices are assigned in Linux and how udev actually works. On a writable operating system I can (and I have) simply modified the udev "persistent net rules" which associate eth* devices to MAC addresses. That allows me to leave my Shorewall interface configuration untouched. However, how can I handle this on a read-only system? How can I be sure that the "eth sequence" will always be in the "right order"? In other words, if my read-only Shorewall configuration says that eth0 is my net1 zone, how can I be sure that eth0 will always be the "first" port on my system (physically)? I know that perl code can be executed within shorewall configuration files and this may help. However, I''d like to know if someone already handled this situation or if anyone can give me a hint as to what I can do (or if I''m simply overdoing it). Thanks, Vieri ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
Ljubomir Ljubojevic
2009-Jun-04 17:44 UTC
Re: shorewall on a livecd: best approach to detect interfaces
Most likely you are experiencing feature that binds ethX interface with specific NIC. On Rad Hat distro''s, that is HWADDR row that binds ethX script to MAC address of the NIC in question. If you manage to avoid setting (or delete afterwards) that row, you will be able to replace NIC with the other one, but that could mess all other NIC''s. If you have to replace the Motherboard, then it is possible that NIC numbering is upside down since NIC''s can be initialized by PCI slot 1, PCI slot 2, .... or PCI slot4, PCI slot 3, .... This will be VERY difficult to achieve. Maybe you should add some writing medium after all like CD-RW Disk or Disk-On-Module with write protection notch like Transcend''s (I think). Ljubomir Vieri Di Paola wrote:> Hi, > > I''m in the process of building a custom liveCD that will be used as a firewall/multi-ISP gateway (read-only media). > > The idea is that the liveCD should boot any x86 system. This implies that the motherboard and NICs may vary (hardware replacement because of system failure). > > Linux displays ethernet interfaces with the eth* nomenclature and the shorewall interfaces file also uses it. However, I''ve noticed that sometimes, when hardware is changed, the ethernet interfaces don''t show up in the same order. For example, recently I had to change a 4-port D-link NIC with a newer but identical card, on the same machine. On this machine I also have 3 3Com cards. Before replacing the card, "ifconfig -a" displayed the cards in this order: eth0,1,2,4,5,6,7 (a total of 7 interfaces). After the replacement, I had this order: eth0,1,2,3,4,5,6. > > I don''t know how eth devices are assigned in Linux and how udev actually works. On a writable operating system I can (and I have) simply modified the udev "persistent net rules" which associate eth* devices to MAC addresses. That allows me to leave my Shorewall interface configuration untouched. > > However, how can I handle this on a read-only system? How can I be sure that the "eth sequence" will always be in the "right order"? In other words, if my read-only Shorewall configuration says that eth0 is my net1 zone, how can I be sure that eth0 will always be the "first" port on my system (physically)? > > I know that perl code can be executed within shorewall configuration files and this may help. > However, I''d like to know if someone already handled this situation or if anyone can give me a hint as to what I can do (or if I''m simply overdoing it). > > Thanks, > > Vieri > > > > > > ------------------------------------------------------------------------------ > OpenSolaris 2009.06 is a cutting edge operating system for enterprises > looking to deploy the next generation of Solaris that includes the latest > innovations from Sun and the OpenSource community. Download a copy and > enjoy capabilities such as Networking, Storage and Virtualization. > Go to: http://p.sf.net/sfu/opensolaris-get > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
Swapnil Jain
2009-Jun-05 03:46 UTC
Re: shorewall on a livecd: best approach to detect interfaces
as this will be a read only filesystem you do not have to worry about the changing ethx numbers. it will always be the same as it was while burning the cd. -------------------------------- Swapnil Jain Indore, INDIA ----------------------------------------------- E-mail: swapnil@pisces.net.in GTalk : swapnil@pisces.net.in MSN: jswapnil@hotmail.com Skype : sj1410 YIM : sj1410 ----------------------------------------------- # DO everything over SSH # ======================# - SECURE pop3/imap ..... do NOT use pop3/imap # - use ssh ............. do NOT use ftp/telnet On 04-Jun-09, at 10:19 PM, Vieri Di Paola wrote:> > Hi, > > I''m in the process of building a custom liveCD that will be used as > a firewall/multi-ISP gateway (read-only media). > > The idea is that the liveCD should boot any x86 system. This implies > that the motherboard and NICs may vary (hardware replacement because > of system failure). > > Linux displays ethernet interfaces with the eth* nomenclature and > the shorewall interfaces file also uses it. However, I''ve noticed > that sometimes, when hardware is changed, the ethernet interfaces > don''t show up in the same order. For example, recently I had to > change a 4-port D-link NIC with a newer but identical card, on the > same machine. On this machine I also have 3 3Com cards. Before > replacing the card, "ifconfig -a" displayed the cards in this order: > eth0,1,2,4,5,6,7 (a total of 7 interfaces). After the replacement, I > had this order: eth0,1,2,3,4,5,6. > > I don''t know how eth devices are assigned in Linux and how udev > actually works. On a writable operating system I can (and I have) > simply modified the udev "persistent net rules" which associate eth* > devices to MAC addresses. That allows me to leave my Shorewall > interface configuration untouched. > > However, how can I handle this on a read-only system? How can I be > sure that the "eth sequence" will always be in the "right order"? In > other words, if my read-only Shorewall configuration says that eth0 > is my net1 zone, how can I be sure that eth0 will always be the > "first" port on my system (physically)? > > I know that perl code can be executed within shorewall configuration > files and this may help. > However, I''d like to know if someone already handled this situation > or if anyone can give me a hint as to what I can do (or if I''m > simply overdoing it). > > Thanks, > > Vieri > > > > > > ------------------------------------------------------------------------------ > OpenSolaris 2009.06 is a cutting edge operating system for enterprises > looking to deploy the next generation of Solaris that includes the > latest > innovations from Sun and the OpenSource community. Download a copy and > enjoy capabilities such as Networking, Storage and Virtualization. > Go to: http://p.sf.net/sfu/opensolaris-get > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
Ljubomir Ljubojevic
2009-Jun-05 05:49 UTC
Re: shorewall on a livecd: best approach to detect interfaces
Swapnil Jain wrote:> as this will be a read only filesystem you do not have to worry about > the changing ethx numbers. it will always be the same as it was while > burning the cd.Not quite. If for example you have eth0, eth1 and eth2 configured AND BIND to theire respective NIC''s (NIC1, NIC2 and NIC3, swapping NIC2 (eth1) will leave alone both eth0 and eth2, but eth1 will not be up until you reconfigure it and save new settings. With read-only system, this is impossible unless you avoid binding ethX with MAC address of the NIC. Ljubomir> > > -------------------------------- > Swapnil Jain > Indore, INDIA > ----------------------------------------------- > E-mail: swapnil@pisces.net.in > GTalk : swapnil@pisces.net.in > MSN: jswapnil@hotmail.com > Skype : sj1410 > YIM : sj1410 > ----------------------------------------------- > # DO everything over SSH > # ======================> # - SECURE pop3/imap ..... do NOT use pop3/imap > # - use ssh ............. do NOT use ftp/telnet > > On 04-Jun-09, at 10:19 PM, Vieri Di Paola wrote: > >> Hi, >> >> I''m in the process of building a custom liveCD that will be used as >> a firewall/multi-ISP gateway (read-only media). >> >> The idea is that the liveCD should boot any x86 system. This implies >> that the motherboard and NICs may vary (hardware replacement because >> of system failure). >> >> Linux displays ethernet interfaces with the eth* nomenclature and >> the shorewall interfaces file also uses it. However, I''ve noticed >> that sometimes, when hardware is changed, the ethernet interfaces >> don''t show up in the same order. For example, recently I had to >> change a 4-port D-link NIC with a newer but identical card, on the >> same machine. On this machine I also have 3 3Com cards. Before >> replacing the card, "ifconfig -a" displayed the cards in this order: >> eth0,1,2,4,5,6,7 (a total of 7 interfaces). After the replacement, I >> had this order: eth0,1,2,3,4,5,6. >> >> I don''t know how eth devices are assigned in Linux and how udev >> actually works. On a writable operating system I can (and I have) >> simply modified the udev "persistent net rules" which associate eth* >> devices to MAC addresses. That allows me to leave my Shorewall >> interface configuration untouched. >> >> However, how can I handle this on a read-only system? How can I be >> sure that the "eth sequence" will always be in the "right order"? In >> other words, if my read-only Shorewall configuration says that eth0 >> is my net1 zone, how can I be sure that eth0 will always be the >> "first" port on my system (physically)? >> >> I know that perl code can be executed within shorewall configuration >> files and this may help. >> However, I''d like to know if someone already handled this situation >> or if anyone can give me a hint as to what I can do (or if I''m >> simply overdoing it). >> >> Thanks, >> >> Vieri >> >> >> >> >> >> ------------------------------------------------------------------------------ >> OpenSolaris 2009.06 is a cutting edge operating system for enterprises >> looking to deploy the next generation of Solaris that includes the >> latest >> innovations from Sun and the OpenSource community. Download a copy and >> enjoy capabilities such as Networking, Storage and Virtualization. >> Go to: http://p.sf.net/sfu/opensolaris-get >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > OpenSolaris 2009.06 is a cutting edge operating system for enterprises > looking to deploy the next generation of Solaris that includes the latest > innovations from Sun and the OpenSource community. Download a copy and > enjoy capabilities such as Networking, Storage and Virtualization. > Go to: http://p.sf.net/sfu/opensolaris-get > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get