This may not literally be a Shorewall issue, but I imagine some users of Shorewall may have had to deal with this question . . . so . . . . If a network card (most likely the external interface of a firewall) has more than one IP address, is there any way (in Linux) to assign separate MAC addresses to the NIC, in such a way that outbound packets will use a different MAC address depending on which IP address is used? That is, the firewall''s external interface would appear indistinguishable from a set of two or more machines, each with its own separate NIC. I know about the "hw ether" option to the "ifconfig" command, and I tried assigning a separate MAC address to an alias interface via a command like "ifconfig eth0:0 hw ether 01:23:45:67:89:ab" -- but doing this changed the MAC address for *everything* going through the network card (the primary interface plus all alias interfaces), not just for one alias interface. Right now, I''m doing OK with multiple external IP addresses all using a single MAC address. However, I''ve read on the net about people who have wanted multiple external IP addresses and were told by their ISP that each IP address absolutely had to have its very own separate and dedicated MAC address (ISP''s obviously not thinking in terms of firewalls, but whatever) - and I want to be prepared for possible future events in case I move or change ISP''s someday and end up being stuck dealing with an overly rigid policy like this. In case it makes a difference, my current firewall is running Ubuntu 8.04 Server (kernel 2.6.24-19). -- Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Rich Wales wrote:> This may not literally be a Shorewall issue,It has absolutely nothing to do with Shorewall. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Rich Wales wrote:> > I know about the "hw ether" option to the "ifconfig" command, and I tried > assigning a separate MAC address to an alias interface via a command like > "ifconfig eth0:0 hw ether 01:23:45:67:89:ab" -- but doing this changed the > MAC address for *everything* going through the network card (the primary > interface plus all alias interfaces), not just for one alias interface.Please see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html It is indeed unfortunate that additional addresses on an interface were ever made to look like additional interfaces -- there is no end to the confusion that has caused over the years. With static IP addresses, I suspect that you can do what you want fairly easily with arptables. But I also suspect that the one-IP/one-MAC restriction that you are mentioning would only apply to dynamic addresses, in which case I think that trying to use arptables to accomplish your goal would be tricky to say the least. But again, this is quite off-topic for this list... -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
>If a network card (most likely the external interface of a firewall) has >more than one IP address, is there any way (in Linux) to assign separate >MAC addresses to the NIC, in such a way that outbound packets will use a >different MAC address depending on which IP address is used? > >That is, the firewall''s external interface would appear indistinguishable >from a set of two or more machines, each with its own separate NIC. > >I know about the "hw ether" option to the "ifconfig" command, and I tried >assigning a separate MAC address to an alias interface via a command like >"ifconfig eth0:0 hw ether 01:23:45:67:89:ab" -- but doing this changed the >MAC address for *everything* going through the network card (the primary >interface plus all alias interfaces), not just for one alias interface.I currently deal with an ISP that has a "one MAC one IP" policy. I fiddled around for weeks with the "hw ether" option as you mention, but with absolutely no success. I finally concluded that the only way I could *probably* make it work would be to use virtualization and actually run two virtual machines each with their own separate NIC. The Shorewall list gets a lot of problem reports from users who are having problems with XEN. I decided that I did not want to try solution with virtualization and eventually found a different solution that did not require multiple IP addresses. So, I have never tried using virtualization for this problem, but I think it could work. --Russel Riley ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Russel Riley wrote:>> If a network card (most likely the external interface of a firewall) has >> more than one IP address, is there any way (in Linux) to assign separate >> MAC addresses to the NIC, in such a way that outbound packets will use a >> different MAC address depending on which IP address is used? >> >> That is, the firewall''s external interface would appear indistinguishable >>from a set of two or more machines, each with its own separate NIC. >> I know about the "hw ether" option to the "ifconfig" command, and I tried >> assigning a separate MAC address to an alias interface via a command like >> "ifconfig eth0:0 hw ether 01:23:45:67:89:ab" -- but doing this changed the >> MAC address for *everything* going through the network card (the primary >> interface plus all alias interfaces), not just for one alias interface. > > I currently deal with an ISP that has a "one MAC one IP" policy. I fiddled > around for weeks with the "hw ether" option as you mention, but with > absolutely no success. I finally concluded that the only way I could > *probably* make it work would be to use virtualization and actually run two > virtual machines each with their own separate NIC. > > The Shorewall list gets a lot of problem reports from users who are having > problems with XEN. I decided that I did not want to try solution with > virtualization and eventually found a different solution that did not > require multiple IP addresses. So, I have never tried using virtualization > for this problem, but I think it could work.Turns out that Rich posted on the netfilter list and got this reply from Patrick McHardy (Netfilter lead maintainer):> The macvlan driver allows you to add virtual ethernet devices > with different mac addresses: > > ip link add link eth0 [ name ] type macvlan-Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Russel Riley wrote:> Turns out that Rich posted on the netfilter list and got this reply from > Patrick McHardy (Netfilter lead maintainer): > >> The macvlan driver allows you to add virtual ethernet devices >> with different mac addresses: >> >> ip link add link eth0 [ name ] type macvlan >ursa:~ # ip link add link wlan0 wlan1 type macvlan ursa:~ # ip link ls dev wlan1 14: wlan1@wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN link/ether 4e:af:43:ae:1c:80 brd ff:ff:ff:ff:ff:ff ursa:~ # ip link ls dev wlan0 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff ursa:~ # -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On October 21, Tom wrote:>> Turns out that Rich posted on the netfilter list and got this >> reply from Patrick McHardy (Netfilter lead maintainer): >> >>> The macvlan driver allows you to add virtual ethernet devices >>> with different mac addresses: >>> >>> ip link add link eth0 [ name ] type macvlanYes. Unfortunately, though, I was not able to get it to work. I also tried using a combination of macvlan and ebtables, but I couldn''t get my firewall to use the second MAC address for the separate IP address. For the time being, I''m not working on it and not worrying about it. Thankfully, my current ISP doesn''t care or mind if I use one MAC for multiple static IP''s. If and when this does become a problem for me, I''ll probably try experimenting with Xen (per Russel Riley''s idea). -- Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Rich Wales wrote: >> On October 21, Tom wrote: >> >>>> Turns out that Rich posted on the netfilter list and got this >>>> reply from Patrick McHardy (Netfilter lead maintainer): >>>> >>>>> The macvlan driver allows you to add virtual ethernet devices >>>>> with different mac addresses: >>>>> >>>>> ip link add link eth0 [ name ] type macvlan >> Yes. Unfortunately, though, I was not able to get it to work. I also >> tried using a combination of macvlan and ebtables, but I couldn''t get >> my firewall to use the second MAC address for the separate IP address. > > I don''t know why it shouldn''t have worked for you -- I just tried it and > had it working in less than 5 minutes, including updating my Shorewall > config for two net interfaces.I should add however that this is not a particularly easy feature to use in general, which could be why Rich thought that it wasn''t working. You have to set it up MultiISP with one ''Provider'' for each maclan interface and then use policy routing to direct traffic out of a particular interface. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom wrote:> I should add however that this is not a particularly easy feature to > use in general, which could be why Rich thought that it wasn''t working. > You have to set it up MultiISP with one ''Provider'' for each maclan > interface and then use policy routing to direct traffic out of a > particular interface.Thanks for this info. In an attempt to avoid having to use the multi-ISP stuff, I tried an experiment this evening in which I set up Xen on my firewall and created a domU to handle one of my external IP addresses. The domU was bridged (using two separate bridges, of course) to both the internal and external interfaces of the dom0, and Shorewall was used both on the dom0 and the domU. I tried setting up one machine in my local net with the domU (instead of the dom0) as its default Internet gateway. I ran into some bizarre interactions between the two firewalls, however. When I did outbound connections from the domU to the Internet, the external IP address of the domU was affected by lines in the "masq" file on the dom0. And if I set up a machine in my local network to use the omU as its default router, connections from that local machine through the domU to the Internet didn''t work. (I did a "shorewall dump" on the domU and looked at the output, and the Conntrack Table showed TCP connections with SYN_SENT and marked as [UNREPLIED] -- apparently meaning that the reply packets were being blocked or mangled.) I''m guessing that the dom0''s Shorewall rules did something to mess up traffic coming back into the domU from the outside. I also noted that I couldn''t connect in either direction between the domU''s external IP address and any of the external IP addresses of my dom0 ("Destination Host Unreachable" errors when I tried "ping") -- but even when I fixed that problem by adding some specific host routes, the domU still would not function as a gateway. If there''s some straightforward thing I could/should do (presumably in the dom0''s rules) to make the domU''s traffic pass totally untouched through the dom0, I imagine I might be able to make this work. If I can get this to work, it seems appealing, in large part because the rules in each separate Shorewall configuration would only need to worry about one external IP address (and the corresponding internal host or hosts). Or maybe this all means that the multi-ISP method, for all its complex strangeness, would still be simpler than using Xen and a bunch of domU''s. -- Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Rich Wales wrote:>In an attempt to avoid having to use the multi-ISP stuff, I tried an >experiment this evening in which I set up Xen on my firewall and created >a domU to handle one of my external IP addresses. The domU was bridged >(using two separate bridges, of course) to both the internal and external >interfaces of the dom0, and Shorewall was used both on the dom0 and >the domU. I tried setting up one machine in my local net with the domU >(instead of the dom0) as its default Internet gateway. > >I ran into some bizarre interactions between the two firewalls, however. >When I did outbound connections from the domU to the Internet, the >external IP address of the domU was affected by lines in the "masq" file >on the dom0.Take a piece of advice : Don''t try to run a firewall, especially using masq, in Dom0. I''m not sure anyone in teh world truly understands networking under Xen, and even Tom himself has effectively said "don''t do it" (in previous threads). It''s possible to use the pci-back driver to hide a PCI device from Dom0 and make it available to a DomU - which is useful to make a network card appear natively to a firewall ''appliance'' running in a DomU. Obviously this won''t work if you want multiple DomUs to share the device. Where I''ve got a Xen host that has to be on an accessible network, I''ve knocked up some iptables rules to simply block all inbound traffic just to the Dom0 and ignore (pass) the rest. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Following up on my postings from last week, where I said:> In an attempt to avoid having to use the multi-ISP stuff, I tried > an experiment this evening in which I set up Xen on my firewall > and created a domU to handle one of my external IP addresses.I tried running Shorewall both on the dom0 and also on each domU, but I ran into problems, and Simon Hobson wrote:> Take a piece of advice: Don''t try to run a firewall, especially > using masq, in Dom0. I''m not sure anyone in the world truly > understands networking under Xen, and even Tom himself has > effectively said "don''t do it" (in previous threads).So I rebuilt my experimental system, using Shorewall in each domU, but no firewalling in the dom0. The internal (LAN) interface is bridged amongst the domU''s and the dom0. The external (Internet) interface is also bridged amongst the domU''s and the dom0, but I assigned a bogus IP address to the external NIC in the dom0, and the dom0''s default route points to one of the domU''s, so no traffic goes out directly to the Internet via the dom0. This setup appears to work. One advantage (in my environment, with multiple external IP addresses) is that the Shorewall configuration in each domU only has to deal with one external IP address, so the configurations are easier to deal with than when everything was in one big configuration. The main failing is that I can no longer have a single default route for every machine in my LAN. This isn''t a showstopper issue, because each server that has a dedicated external IP address can simply be reconfigured to use the corresponding domU as its default route, and everyone else (workstations, laptops, etc.) can use the "default" domU as their default route. It would still be nice if I could somehow advertise the dom0 as the default gateway in my LAN, and configure the dom0 in some way to pass outbound traffic to this or that domU as appropriate, but I can live without that if necessary. -- Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/