Shorewall users - Apr 2008 - Interface w/o IP (was Treatment of an Interface with no assigned IP address.)

>>     What do I do about eth0 in the shorewall configuration ?
>
>Nothing.
>
>-Tom
Tom, I hate to hijack the OP''s thread but I was literally about to post
regarding the same topic. Is it the most secure way in the situation where I
have a physical NIC connected to a dsl modem, and have created a bridge where
multiple virtual interfaces each collect an dynamic ip? I understood that
assigning it an IP of 0.0.0.0 was the best bet, but reading this thread makes me
think it should not have an IP at all?

Thanks!
jlc

Ps. Is the the line wrap better?

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

On Tue, Apr 22, 2008 at 11:17 AM, Joseph L. Casale
<jcasale@activenetwerx.com> wrote:
> >>     What do I do about eth0 in the shorewall configuration ?
>  >
>  >Nothing.
>  >
>  >-Tom
>
>  Tom, I hate to hijack the OP''s thread but I was literally about
to post regarding the same topic. Is it the most secure way in the situation
where I have a physical NIC connected to a dsl modem, and have created a bridge
where multiple virtual interfaces each collect an dynamic ip? I understood that
assigning it an IP of 0.0.0.0 was the best bet, but reading this thread makes me
think it should not have an IP at all?
If you need to access the ADSL modem from your LAN, you need to give
eth0 an IP in the same range as the ADSL modem''s LAN IP and you can
put eth0 in the WAN zone I guess.
>
>  Ps. Is the the line wrap better?
No :-).

Prasanna
-- 
www.elinanetworks.com
Seamless, secure delivery of applications.

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

>If you need to access the ADSL modem from your LAN, you need to give
>eth0 an IP in the same range as the ADSL modem''s LAN IP and you can
>put eth0 in the WAN zone I guess.
Well, its more complicated than that :) I don''t want any connectivity
from the
host creating the bridge, Shorewall will run individually on each
guest''s virtual
interface that is in the bridge (using xen).

Thanks,
jlc

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

On Tue, Apr 22, 2008 at 11:29 AM, Joseph L. Casale
<jcasale@activenetwerx.com> wrote:
> >If you need to access the ADSL modem from your LAN, you need to give
>  >eth0 an IP in the same range as the ADSL modem''s LAN IP and
you can
>  >put eth0 in the WAN zone I guess.
>
>  Well, its more complicated than that :) I don''t want any
connectivity from the
>  host creating the bridge, Shorewall will run individually on each
guest''s virtual
>  interface that is in the bridge (using xen).
>
Cross-talk, I thought I was answering the other query :D.

We''ve done something similar, just assign no IP to the bridge
interface. Make sure there are no routes on to that interface.

You''d get almost the same effect if you assign an IP and block all
traffic to the fw from that interface - and you need to reach the ADSL
modem somehow? Or will you be reaching the modem from one of the
guests?

Prasanna.
-- 
www.elinanetworks.com
Seamless, secure delivery of applications.

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

>We''ve done something similar, just assign no IP to the bridge
>interface. Make sure there are no routes on to that interface.
>
>You''d get almost the same effect if you assign an IP and block all
>traffic to the fw from that interface - and you need to reach the ADSL
>modem somehow? Or will you be reaching the modem from one of the
>guests?
>
>Prasanna.
Hi,
Ok, so I can leave out the statement that sets ip. How do I make sure there
wont be any routes to it, without an ip how could it have a route (to what?)?

Some guests will have nic''s in the bridge that will be set to DHCP and
those
will acquire the availble leased ip''s from the isp.

Thanks!
jlc

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Joseph L. Casale wrote:
> Tom, I hate to hijack the OP''s thread but I was literally about to
 > post regarding the same topic. Is it the most secure way in the
 > situation where I have a physical NIC connected to a dsl
modem,
> and have created a bridge where multiple virtual interfaces each
 > collect an dynamic ip? I understood that assigning it an IP of 0.0.0.0
 > was the best bet, but reading this thread makes me think it should not
 > have an IP at all?

Bridges and Ethernet adapters are two different things. An ethernet adapter 
used for PPPoE need not be configured with an IP address (unless you want 
access to the inbuilt web server, as someone pointed out in a later post). 
If it has no IP address, then it need not be defined to Shorewall.

Bridges usually need to be defined to Shorewall even if they aren''t
given an
IP address. That is because vendor kernels typically support 
Netfilter/bridge interaction so traffic going through the bridge is passed 
through Netfilter. I usually assign them to a zone by themselves and set up 
policies to disallow traffic to/from the bridge zone and the other zones. 
The implicit intra-zone policy of ACCEPT allows traffic to go through the 
bridge.
> Ps. Is the the line wrap better?
No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

>Bridges usually need to be defined to Shorewall even if they aren''t
given an
>IP address. That is because vendor kernels typically support
>Netfilter/bridge interaction so traffic going through the bridge is passed
>through Netfilter. I usually assign them to a zone by themselves and set up
>policies to disallow traffic to/from the bridge zone and the other zones.
>The implicit intra-zone policy of ACCEPT allows traffic to go through the
>bridge.
Tom,
It looks like I need to shift forums as my question is no longer Shorewall
specific as Shorewall wont be running in Dom0. Currently in my tests, I
have a CentOS DomU running very well with Shorewall but it has its red
nic passed through so its very secure. In my final implementation I will
have more then one Shorewall DomU and will not pass the nics in. I
will research Netfilter and hopefully come up with a grasp on all
happens to the nic in Dom0 even if it does not have an IP, as I need
make sure its secure.

Thanks for the guidance.
jlc

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone