LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Limitations of using sub-interfaces (https://www.linuxquestions.org/questions/linux-security-4/limitations-of-using-sub-interfaces-772599/)

winxandlinx 12-01-2009 01:14 AM
Limitations of using sub-interfaces
 
Hi All

I would like to know the limitations of using sub -interface
rather going for physical interfaces for everytime in the firewall.
I think there could be some more imitations or drawbacks ofusing sub interfaces ?????????????????????????

share your thoughts on this would be really appriciated.

Thankyou

kbp 12-02-2009 01:34 AM
If you're talking using subif's on a firewall, there wouldn't be much point unless you were doing vlan tagging. Make sure the switch you're connecting to can do dot1q

So to answer your q, no, I can't think of any drawbacks

cheers

unixfool 12-02-2009 07:51 AM
sub-interfaces? I've never heard of that term before.

Do you mean dual-homed interfaces, like this?:

Code:
eth0      Link encap:Ethernet  HWaddr FE:FD:40:3E:E7:DC 
          inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
          inet6 addr: fe80::fcfd:40ff:fe3e:e7dc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2369354 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3837732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:191008947 (182.1 MiB)  TX bytes:302470819 (288.4 MiB)
          Interrupt:5

eth0:2    Link encap:Ethernet  HWaddr FE:FD:40:3E:E7:DC 
          inet addr:yyy.yyy.yyy.yyy  Bcast:yyy.yyy.yyy.yyy  Mask:yyy.yyy.yyy.yyy
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5

slimm609 12-02-2009 08:42 AM
Quote:
Originally Posted by unixfool (Post 3777064)
sub-interfaces? I've never heard of that term before.

Do you mean dual-homed interfaces, like this?:

Code:
eth0      Link encap:Ethernet  HWaddr FE:FD:40:3E:E7:DC 
          inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
          inet6 addr: fe80::fcfd:40ff:fe3e:e7dc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2369354 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3837732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:191008947 (182.1 MiB)  TX bytes:302470819 (288.4 MiB)
          Interrupt:5

eth0:2    Link encap:Ethernet  HWaddr FE:FD:40:3E:E7:DC 
          inet addr:yyy.yyy.yyy.yyy  Bcast:yyy.yyy.yyy.yyy  Mask:yyy.yyy.yyy.yyy
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5
Yes unixfool That is what he is talking about. It is actually a sub-interface. Eth0 is the interface and eth0:2 is a sub-interface of eth0.

There are some possible problems that can come into play.

As said above you have to use 802.1q vlan tagging for it to be useful at all. And with trunking you have some other things to worry about. like vlan hopping, native-vlan restrictions, etc.

What is the reason that you would want to do a firewall with sub-interfaces. Without trunking then the address would have to be on the same network and if that is the case then they can just bypass the firewall altogether.

unixfool 12-02-2009 09:42 AM
These types of interfaces usually don't play well with accepted security practices and procedure, in my experience. I've seen sub-interfaces being used to alleviate network issues and other problems, but from the security standpoint, it complicates things.

For instance, on my virtual server box (Linode.com), I wanted a dedicated interface so that I could permanently run a dedicated sniffer. Typically, dedicated sniffers should use interfaces with no IP assigned (this is part of bastion processing), but I found that the colo could only give me a sub-interface that was tied to an additional IP, and one can't establish a sub-interface without an IP.

An additional issue that was discovered: When sniffing (or pinging, or anything else network-related), sub-interface was still basically utilizing the real-life hardware interface that was pretty much already dedicated. This defeats the purpose of bastion hardening, IMO.

Maybe some of slimm609's network-fu above would've alleviated my issues but I've no direct control over the hosting provider's network, so that info probably wouldn't have helped me anyway.

Linode.com uses UML/Xen so that's the price I pay for not using dedicated hardware, but I just wanted to point out a few limitiations.

It would help if you explained your needs, though.

winxandlinx 12-04-2009 12:42 AM
Thanks for all you folks and big sorry delay in responding from my side.


All times are GMT -5. The time now is 05:50 PM.