[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Firewalls and virtual ethernet interfaces WAS: Firewall/IPChains w/ IPADDR Rule

Subject: [cobalt-users] Firewalls and virtual ethernet interfaces WAS: Firewall/IPChains w/ IPADDR Rule
From: David <david_dean@xxxxxxx>
Date: Thu Mar 1 14:32:41 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

How do you configure a firewall for machines using virtual ethernet
interfaces? 

Is it possible to allow incoming traffic on a firewall for more than one
ethernet interface (virtual) on one single machine, like eth0 and eth0:0? This
is how Cobalt's configure each IP in /etc/sysconfig/network-scripts/. So when
configuring your firewall, if you only use your main IP for IPADDR in the
rules, you lock everything up. I've been getting around this by using "any/0"
as IPADDR, but I'd like to restrict it to just the IP's (ethernet's) on the
system. 

The only thing I can figure is the way the ruleset is configured for just one
ethernet (eth0) - when the firewall is enabled it's monitoring just the main
IP on eth0. But when you try and go to any of the other IP's on the machine
(virtual sites) it's not seeing the virtual ethernet's as eth0:0 / eth0:1 /
eth0:2 etc.

Am I way off base here or on the right track? 

I installed the PMFirewall scripts at http://www.pmfirewall.com as suggested
(great program) - but it delivered the same results when the firewall was run.
PMFirewall even pulls all the network settings and main IP into the script
<auto> when you first set things up. But again since it's only the main IP -
none of the other virtual sites on the machine were viewable when the firewall
went up..

There has to be a definitive answer to this riddle. Virtual host or not.. 

What is the best settings for IPADDR or EXTERNAL_INTERFACE for RaQ(3)
systems?

EXTERNAL_INTERFACE="eth0"
IPADDR="xxx.xxx.."           # your IP address
ANYWHERE="any/0"             # match any IP address

Currently this is what I'm using, but I think there's a better way. Am I
wrong?

EXTERNAL_INTERFACE="eth0"
IPADDR="any/0"               # your IP address
ANYWHERE="any/0"             # match any IP address

Thanks!
David


____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

Prev by Date: Re: [cobalt-users] list server hacked?
Next by Date: [cobalt-users] Port 617?
Previous by thread: [cobalt-users] Firewalls and virtual ethernet interfaces WAS: Firewall/IPChains w/ IPADDR Rule
Next by thread: [cobalt-users] HP DLT and Raq4

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index