| View previous topic :: View next topic |
| Author |
Message |
dman777
Veteran
Joined: 10 Jan 2007
Posts: 1004
|
 Posted: Wed Nov 02, 2011 12:40 pm Post subject: /etc/conf.d/net - how not to bring up devices in promisc? |
 |
|
| /etc/conf.d/net config_tap0 and config_eth0 brings up my devices in promiscouse mode. What is the config option to stop this? |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23062
|
| Posted: Thu Nov 03, 2011 2:10 am Post subject: |
|
|
| What is the output of /sbin/ip link ; cat -n /etc/conf.d/net? |
|
| Back to top |
|
|
dman777
Veteran
Joined: 10 Jan 2007
Posts: 1004
|
| Posted: Fri Nov 04, 2011 4:45 pm Post subject: |
|
|
localhost three # cat hate
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
link/ether 00:xx:1e:xx:xx:xx brd xf:xf:ff:ff:ff:ff
3: tap0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 500
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
1 # This blank configuration will automatically use DHCP for any net.*
2 # scripts in /etc/init.d. To create a more complete configuration,
3 # please review /etc/conf.d/net.example and save your configuration
4 # in /etc/conf.d/net (this file :]!).
5 #config_eth0=( "192.168.x.x/24" )
6 #routes_eth0=( "default via 192.168.x.x")
7
8
9
10 rc_need_br0="net.eth0 net.tap0"
11 rc_net_lo_provide="!net"
12 rc_net_tap0_provide="!net"
13 rc_net_eth0_provide="!net"
14
15 config_eth0=( "null" )
16 tunctl_tap0=( "-u kvmuser" )
17 config_tap0=( "null" )
18 tuntap_tap0=( "tap" )
19 mac_tap0=( "xxxxxxxxxxxx" )
20
21 bridge_br0=( "eth0 tap0" )
22 config_br0=( "192.168.xx.xx/24" )
23 routes_br0=( "default via 192.168.xx.xx" )
24
25
26
27
I x'out out the mac address and ipaddresses...I hope you don't mind. I always feel funny posting that kind of stuff in public. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Fri Nov 04, 2011 6:55 pm Post subject: |
|
|
You must use promiscuous mode to bridge the devices, this should answer howto stop it, but i doubt you will do that 
And there's no point in hidding 192.168.* ip class, they are just private network ip, no big deal gaving that info, you might not gave your internet IP for security of course, but private network ip is useless.
Anyone receiving a packet from you will also get your mac address, and you can easy change it too, also not a real issue.
Just to save you from xxxxxx a lot next time. |
|
| Back to top |
|
|
dman777
Veteran
Joined: 10 Jan 2007
Posts: 1004
|
| Posted: Sat Nov 05, 2011 12:59 am Post subject: |
|
|
| krinn wrote: | You must use promiscuous mode to bridge the devices...
|
I used to think this also, but it is not so. When I bring up the network manually...
| Code: |
brctl addbr br0
tunctl -u user -t tap0
ifconfig eth0 up
ifconfig tap0 up
brctl addif br0 eth0
brctl addif br0 tap0
ifconfig br0 192.168.xx.xx netmask 255.255.255.0 up
route add default gw 192.168.xx.xx
localhost three # |
The devices do not come up in promisc mode...
| Code: | localhost three # ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
link/ether xxxx
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether xxx
4: tap0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 500
link/ether xxxx
localhost three #
|
Plus, if I remember correctly....when asking on the #netfilter they stated that since the linux bridge works on level 2 the devices do not need to be in promisc mode.
The bridge I use in this current non promisc mode works fine and my kvm guests on it have no problem communicating.
Is there some way to defeat the promisc mode when bringing it up through openrc? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23062
|
| Posted: Sat Nov 05, 2011 1:21 am Post subject: |
|
|
| krinn wrote: | | Anyone receiving a packet from you will also get your mac address, and you can easy change it too, also not a real issue. |
This is true only in a very strict sense, which I doubt most people would catch. The MAC address is placed in the packet sent on the wire, but the first gateway to forward the packet will send out with the MAC address of the gateway. Therefore, the party to which you sent the packet (the gateway) gets your MAC address, but any machine farther away, such as almost all public sites, will not receive your MAC address. |
|
| Back to top |
|
|
dman777
Veteran
Joined: 10 Jan 2007
Posts: 1004
|
| Posted: Sat Nov 05, 2011 3:22 am Post subject: |
|
|
| Hu wrote: | | krinn wrote: | | Anyone receiving a packet from you will also get your mac address, and you can easy change it too, also not a real issue. |
This is true only in a very strict sense, which I doubt most people would catch. The MAC address is placed in the packet sent on the wire, but the first gateway to forward the packet will send out with the MAC address of the gateway. Therefore, the party to which you sent the packet (the gateway) gets your MAC address, but any machine farther away, such as almost all public sites, will not receive your MAC address. |
if i may ask please, what is your opinion about the devices not being in promisc. mode when i manually bring up the bridge but if i do it in openrc then it is in promisc mode? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23062
|
| Posted: Sat Nov 05, 2011 3:48 am Post subject: |
|
|
| dman777 wrote: | | if i may ask please, what is your opinion about the devices not being in promisc. mode when i manually bring up the bridge but if i do it in openrc then it is in promisc mode? |
I have always seen bridges implemented with promiscuous devices. Is there a particular reason you care whether the device is promiscuous? |
|
| Back to top |
|
|
dman777
Veteran
Joined: 10 Jan 2007
Posts: 1004
|
| Posted: Sat Nov 05, 2011 6:03 am Post subject: |
|
|
| Yes, if a bridge can operate in non promisc mode then you have double layered protection. I rather the packet be dropped on the lower level by the virtual device in the bridge code before it reaches the firewall of the intended receiving host. Plus, with br0 in promisc mode, and all devices on the bridge in promisc mode because of openrc, all devices on that host will receive all packets. If that can be avoided so much the better. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
