LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-01-2009, 02:14 AM   #1
winxandlinx
Member
 
Registered: May 2006
Posts: 141

Rep: Reputation: 15
Limitations of using sub-interfaces


Hi All

I would like to know the limitations of using sub -interface
rather going for physical interfaces for everytime in the firewall.
I think there could be some more imitations or drawbacks ofusing sub interfaces ?????????????????????????

share your thoughts on this would be really appriciated.

Thankyou
 
Old 12-02-2009, 02:34 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
If you're talking using subif's on a firewall, there wouldn't be much point unless you were doing vlan tagging. Make sure the switch you're connecting to can do dot1q

So to answer your q, no, I can't think of any drawbacks

cheers
 
Old 12-02-2009, 08:51 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
sub-interfaces? I've never heard of that term before.

Do you mean dual-homed interfaces, like this?:

Code:
eth0      Link encap:Ethernet  HWaddr FE:FD:40:3E:E7:DC  
          inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
          inet6 addr: fe80::fcfd:40ff:fe3e:e7dc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2369354 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3837732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:191008947 (182.1 MiB)  TX bytes:302470819 (288.4 MiB)
          Interrupt:5 

eth0:2    Link encap:Ethernet  HWaddr FE:FD:40:3E:E7:DC  
          inet addr:yyy.yyy.yyy.yyy  Bcast:yyy.yyy.yyy.yyy  Mask:yyy.yyy.yyy.yyy
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5
 
Old 12-02-2009, 09:42 AM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by unixfool View Post
sub-interfaces? I've never heard of that term before.

Do you mean dual-homed interfaces, like this?:

Code:
eth0      Link encap:Ethernet  HWaddr FE:FD:40:3E:E7:DC  
          inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
          inet6 addr: fe80::fcfd:40ff:fe3e:e7dc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2369354 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3837732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:191008947 (182.1 MiB)  TX bytes:302470819 (288.4 MiB)
          Interrupt:5 

eth0:2    Link encap:Ethernet  HWaddr FE:FD:40:3E:E7:DC  
          inet addr:yyy.yyy.yyy.yyy  Bcast:yyy.yyy.yyy.yyy  Mask:yyy.yyy.yyy.yyy
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5
Yes unixfool That is what he is talking about. It is actually a sub-interface. Eth0 is the interface and eth0:2 is a sub-interface of eth0.

There are some possible problems that can come into play.

As said above you have to use 802.1q vlan tagging for it to be useful at all. And with trunking you have some other things to worry about. like vlan hopping, native-vlan restrictions, etc.

What is the reason that you would want to do a firewall with sub-interfaces. Without trunking then the address would have to be on the same network and if that is the case then they can just bypass the firewall altogether.
 
1 members found this post helpful.
Old 12-02-2009, 10:42 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
These types of interfaces usually don't play well with accepted security practices and procedure, in my experience. I've seen sub-interfaces being used to alleviate network issues and other problems, but from the security standpoint, it complicates things.

For instance, on my virtual server box (Linode.com), I wanted a dedicated interface so that I could permanently run a dedicated sniffer. Typically, dedicated sniffers should use interfaces with no IP assigned (this is part of bastion processing), but I found that the colo could only give me a sub-interface that was tied to an additional IP, and one can't establish a sub-interface without an IP.

An additional issue that was discovered: When sniffing (or pinging, or anything else network-related), sub-interface was still basically utilizing the real-life hardware interface that was pretty much already dedicated. This defeats the purpose of bastion hardening, IMO.

Maybe some of slimm609's network-fu above would've alleviated my issues but I've no direct control over the hosting provider's network, so that info probably wouldn't have helped me anyway.

Linode.com uses UML/Xen so that's the price I pay for not using dedicated hardware, but I just wanted to point out a few limitiations.

It would help if you explained your needs, though.
 
Old 12-04-2009, 01:42 AM   #6
winxandlinx
Member
 
Registered: May 2006
Posts: 141

Original Poster
Rep: Reputation: 15
Thanks for all you folks and big sorry delay in responding from my side.

Last edited by winxandlinx; 12-04-2009 at 01:43 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Memory limitations umproko5 Linux - Enterprise 3 03-06-2009 05:37 AM
Traffic Limitations Equin Linux - Software 3 08-16-2005 03:06 PM
new user limitations Longinus Linux - Newbie 1 04-22-2004 04:02 AM
fedora limitations jdlin Fedora 5 03-22-2004 04:58 PM
Partition limitations? x^n Linux - Newbie 1 05-11-2002 08:26 AM


All times are GMT -5. The time now is 08:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration