| View previous topic :: View next topic |
| Author |
Message |
Bad Penguin
Guru
Joined: 18 Aug 2004
Posts: 507
|
 Posted: Fri May 05, 2006 4:27 am Post subject: Baselayout and firewalling interfaces before they are up |
 |
|
I am curious how people might best handle a situation. I have a home firewall/router with two interfaces, private (eth0) and public (eth1). The public interface gets a dynamic IP address via dhcp from a cable modem. I need to be able to use the actual dynamic IP address in my firewall init script, but of course won't know it until dhcpd has completed its negotiations. But I don't want the interface to be unprotected before it gets the IP address and/or before my firewall script is run. Iptables can filter interfaces before they exist, so I know that is not an issue.
My question is this - where would the best place be to lock the interface down before it runs dhcpcd? In the net preup() function? In a separate init script that runs before the net.* and firewall init scripts? How do other people handle this situation? |
|
| Back to top |
|
 |
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
Bad Penguin
Guru
Joined: 18 Aug 2004
Posts: 507
|
| Posted: Fri May 05, 2006 3:21 pm Post subject: |
|
|
| UberLord wrote: | In a separate init script in the boot runlevel that has this dependency
| Code: | depend() {
before net
} |
With baselayout-1.12 it's then guaranteed to start before any net stuff, including lo  |
Thanks Uber, I will give that a try. I assume that the "real" firewall init script would then need:
| Code: | depend() {
after net
} |
|
|
| Back to top |
|
|
nevynxxx
Veteran
Joined: 12 Nov 2003
Posts: 1123
Location: Manchester - UK
|
| Posted: Fri May 05, 2006 4:06 pm Post subject: Re: Baselayout and firewalling interfaces before they are up |
|
|
| Bad Penguin wrote: | | I need to be able to use the actual dynamic IP address in my firewall init script |
Out of interest....Why?
I have exactly the same set-up and do all the filtering I could want or need using just the interfaces.
What does the actual IP matter? Or rather, at what point is the actual IP something distinguishable from the interface name?
_________________
My Public Key
Wanted: Instructor in the art of Bowyery |
|
| Back to top |
|
|
Bad Penguin
Guru
Joined: 18 Aug 2004
Posts: 507
|
| Posted: Fri May 05, 2006 4:15 pm Post subject: Re: Baselayout and firewalling interfaces before they are up |
|
|
| nevynxxx wrote: | | Bad Penguin wrote: | | I need to be able to use the actual dynamic IP address in my firewall init script |
Out of interest....Why?
I have exactly the same set-up and do all the filtering I could want or need using just the interfaces.
What does the actual IP matter? Or rather, at what point is the actual IP something distinguishable from the interface name? |
I am anal and don't want my firewall considering packets destined for any address other than the actual address it has been assigned on the public interface. I do a lot of port forwarding and feel that specifying the address and port is safer than applying rules by interface/port. |
|
| Back to top |
|
|
nevynxxx
Veteran
Joined: 12 Nov 2003
Posts: 1123
Location: Manchester - UK
|
| Posted: Mon May 08, 2006 11:20 am Post subject: |
|
|
Then get a static IP?
Seriously, if it is not aimed at the correct IP anyway the network stack will ignore it. Or better still, put a switch between the internet and the interface, then the switch will do that filtering for you.
You are making something a whole load more difficult by "being anal", and when it comes to iptables, or security in general, more difficult = less secure.
_________________
My Public Key
Wanted: Instructor in the art of Bowyery |
|
| Back to top |
|
|
Bad Penguin
Guru
Joined: 18 Aug 2004
Posts: 507
|
| Posted: Mon May 08, 2006 1:37 pm Post subject: |
|
|
| nevynxxx wrote: | Then get a static IP?
Seriously, if it is not aimed at the correct IP anyway the network stack will ignore it. Or better still, put a switch between the internet and the interface, then the switch will do that filtering for you.
You are making something a whole load more difficult by "being anal", and when it comes to iptables, or security in general, more difficult = less secure. |
Well, no, as a matter of fact it won't ignore broadcast/multicast/unicast. Instead of accounting for every packet type known to man, it is easier and cleaner to:
| Code: |
$IPT -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP
|
Comcast also sends traffic from its internal networks (10.0.0.0) over that interface. Instead of filtering ingress traffic from all three private networks, same rule applies. So I'm lazy, instead of inserting 4 rules into the tables, I prefer 1 rule that takes care of all of it  |
|
| Back to top |
|
|
|
Networking & Security
