Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I would like to know the limitations of using sub -interface
rather going for physical interfaces for everytime in the firewall.
I think there could be some more imitations or drawbacks ofusing sub interfaces ?????????????????????????
share your thoughts on this would be really appriciated.
Yes unixfool That is what he is talking about. It is actually a sub-interface. Eth0 is the interface and eth0:2 is a sub-interface of eth0.
There are some possible problems that can come into play.
As said above you have to use 802.1q vlan tagging for it to be useful at all. And with trunking you have some other things to worry about. like vlan hopping, native-vlan restrictions, etc.
What is the reason that you would want to do a firewall with sub-interfaces. Without trunking then the address would have to be on the same network and if that is the case then they can just bypass the firewall altogether.
These types of interfaces usually don't play well with accepted security practices and procedure, in my experience. I've seen sub-interfaces being used to alleviate network issues and other problems, but from the security standpoint, it complicates things.
For instance, on my virtual server box (Linode.com), I wanted a dedicated interface so that I could permanently run a dedicated sniffer. Typically, dedicated sniffers should use interfaces with no IP assigned (this is part of bastion processing), but I found that the colo could only give me a sub-interface that was tied to an additional IP, and one can't establish a sub-interface without an IP.
An additional issue that was discovered: When sniffing (or pinging, or anything else network-related), sub-interface was still basically utilizing the real-life hardware interface that was pretty much already dedicated. This defeats the purpose of bastion hardening, IMO.
Maybe some of slimm609's network-fu above would've alleviated my issues but I've no direct control over the hosting provider's network, so that info probably wouldn't have helped me anyway.
Linode.com uses UML/Xen so that's the price I pay for not using dedicated hardware, but I just wanted to point out a few limitiations.
It would help if you explained your needs, though.