Re: Packet Filter: how to keep device names on hardware failure?

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Dave Anderson

Subject: Re: Packet Filter: how to keep device names on hardware failure?

Date: Friday, November 7, 2008 - 4:55 pm

On Fri, 7 Nov 2008, Theo de Raadt wrote:

quoted text>> >Peter N. M. Hansteen wrote:
>> >> Harald Dunkel <harald.dunkel@aixigo.de> writes:
>> >>
>> >>> Sorry to wake this thread up again, but this problem is a severe
>> >>> security risk. IMHO it is unacceptable that a hardware failure on
>> >>> one NIC of a firewall can put the whole network at risk, just because
>> >>> the mapping between NICs and interface names gets mixed up, and PF
>> >>> suddenly treats the Internet as a subnet of the company LAN.
>> >>
>> >> Semi-random reordering of network interfaces would be a severe
>> >> problem, no doubt.  However, my hazy memory was that reordering would
>> >> not occur as you describe, but ICBW, please correct me if this has
>> >> actually been demonstrated to happen.
>> >
>> >I can post 2 dmesg logs of the same machine with the NIC
>> >names mixed up. Somehow 2 NICs disappeared on a reboot. On
>> >the next reboot they were back. Attached is the diff.
>> >
>> >In the bad configuration the NIC with 00:30:48:d2:9a:06 is
>> >called "em2", in the good one it is called "em4". Maybe you
>> >can imagine how PF screws up, if this NIC would have been
>> >physically connected to the Internet.
>> >
>> >Surely it is unusual that a NIC "disappears" somehow. Maybe
>> >there is something wrong with my hardware, but this can always
>> >happen. I would like to have a secure setup even if there is a
>> >hardware failure.
>>
>> Network configuration has bugged me a bit ever since I started using
>> OpenBSD, not just the real security issue that Harald Dunkel points out
>> but general ease of administration issues.  For example, on a typical
>> single-NIC system one ought to be able to set up a standard
>> configuration and not care which make/model of NIC is installed.
>
>You are joking right?  In that case you use the "egress" interface
>group.  It works perfectly on all machines with one network interface,
>and follows the default route.

Maybe I'm just confused, but my recollection is that one needs to set up
the appropriate hostname.<interface-name> to enable the interface before
the "egress" interface group works.

This single-NIC case is admittedly a minor one, but it would eliminate
one of the few (that I can think of) things about running a basic
OpenBSD system that requires any "arcane" setup.

quoted text>Or would you rather use eth0?

Since I never mentioned eth0, the answer is pretty obviously "no".

quoted text>> Perhaps most of these issues could be dealt with by changing the network
>> configuration procedure to have a hierarchy of interface-configuration
>> files rather than just hostname.<interface-name>.
>
>Oh, like eth0 and eth1 and eth2?

See above.

quoted text>> If hostname.<mac>
>> were used if the hardware MAC matches, then hostname.<interface-name>,
>> then (say) hostname.only if there's only one NIC found, the sysadmin
>> could assign interfaces to groups and use those group names everywhere,
>> and so not need to use the actual interface names at all.
>
>So right now you have hardware that is disappearing.  What happens when
>you get hardware where the MAC reading is not 100% reliable.  New problem,
>and a new solution?

Actually, it's other people who have the problem.  I was just
speculating on how to minimize its harmful effects.

One can always postulate a hardware (or other) failure which can't be
dealt with by whatever the current software may be; the question is
whether it happens often enough and is serious enough to be worth doing
something about.  Or if it suggests a change which is worthwhile in
itself and also solves the problem.

quoted text>> This appears to be a fairly simple change.  Does it sound reasonable to
>> people with more knowledge of OpenBSD networking?
>
>No, it is not reasonble.  You are inventing problems at a very high
>level just because some very low level pci-related bug is making some
>of your devices not reliably show themselves.

No, I'm thinking about a general way for those people who care about it
to tie pf rules, etc, to specific physical interfaces, regardless of
what other devices are installed or configured in a system.

	Dave

-- 
Dave Anderson
<dave@daveanderson.com>

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Packet Filter: how to keep device names on hardware failure?, Harald Dunkel, (Fri Aug 22, 7:16 am)

Re: Packet Filter: how to keep device names on hardware fa ..., jared r r spiegel, (Fri Aug 22, 7:46 am)

Re: Packet Filter: how to keep device names on hardware fa ..., list-obsd-misc, (Fri Aug 22, 7:10 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Harald Dunkel, (Mon Aug 25, 1:11 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Harald Dunkel, (Mon Aug 25, 5:19 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Henning Brauer, (Mon Aug 25, 8:37 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Harald Dunkel, (Tue Aug 26, 1:07 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Harald Dunkel, (Fri Nov 7, 1:51 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Peter N. M. Hansteen, (Fri Nov 7, 2:10 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Aram HAVARNEANU, (Fri Nov 7, 2:18 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Harald Dunkel, (Fri Nov 7, 4:30 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Peter N. M. Hansteen, (Fri Nov 7, 5:22 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Guido Tschakert, (Fri Nov 7, 5:43 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Douglas A. Tutty, (Fri Nov 7, 6:33 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Girish Venkatachalam, (Fri Nov 7, 7:38 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Marcus Andree, (Fri Nov 7, 10:04 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Dave Anderson, (Fri Nov 7, 10:44 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Theo de Raadt, (Fri Nov 7, 11:02 am)

Re: Packet Filter: how to keep device names on hardware fa ..., johan beisser, (Fri Nov 7, 11:27 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Ted Unangst, (Fri Nov 7, 1:55 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Rod Whitworth, (Fri Nov 7, 2:04 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Ted Unangst, (Fri Nov 7, 3:55 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Dave Anderson, (Fri Nov 7, 4:28 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Dave Anderson, (Fri Nov 7, 4:55 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Chris Kuethe, (Fri Nov 7, 5:04 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Theo de Raadt, (Fri Nov 7, 5:05 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Jussi Peltola, (Fri Nov 7, 5:48 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Dave Anderson, (Fri Nov 7, 6:19 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Dave Anderson, (Sat Nov 8, 9:44 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Denis Doroshenko, (Sat Nov 8, 10:55 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Peter N. M. Hansteen, (Sat Nov 8, 11:20 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Dag Richards, (Sat Nov 8, 12:44 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Nick Holland, (Sat Nov 8, 1:59 pm)

Re: Packet Filter: how to keep device names on hardware fa ..., Harald Dunkel, (Mon Nov 10, 2:13 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Harald Dunkel, (Mon Nov 10, 3:57 am)

Re: Packet Filter: how to keep device names on hardware fa ..., David Higgs, (Mon Nov 10, 6:53 am)

Re: Packet Filter: how to keep device names on hardware fa ..., Jussi Peltola, (Mon Nov 10, 9:55 am)


linux-kernel:
Mathieu Desnoyers	[PATCH 01/10] local_t : architecture independant extension
Ingo Molnar	Re: 2.6.20-rc6-mm3
monstr	[PATCH 46/56] microblaze_v2: headers files entry.h current.h mman.h registers.h se...
alan	Re: Versioning file system
Jan Engelhardt	Re: Linux Security Module Framework (Was: LSM conversion to static interface)
git:
Andy Parkins	git-fetch fails with error code 128
Johannes Sixt	Re: [PATCH v2 04/13] Teach rebase interactive the mark command
Yakov Lerner	Re: Autoconf/Automake
Miklos Vajna	Re: [IRC/patches] Failed octopus merge does not clean up
Johannes Sixt	Re: [msysGit] [PATCH 01/12] Fake reencoding success under NO_ICONV instead of retu...
linux-netdev:
jamal	[net-next-2.6 PATCH 1/7] xfrm: introduce basic mark infrastructure
jamal	[net-next-2.6 PATCH 0/7] xfrm by MARK
Timo Teräs	ip xfrm policy semantics
Jeff Garzik	Re: [PATCH 1/5] sky2: phy setup changes
Ken-ichirou MATSUZAWA	Re: [PATCH] don't touch bridge sysfs in container.
git-commits-head:
Linux Kernel Mailing List	No need to do lock_super() for exclusion in generic_shutdown_super()
Linux Kernel Mailing List	x86, msr: Export the register-setting MSR functions via /dev/*/msr
Linux Kernel Mailing List	MIPS: SMTC: Fix lockup in smtc_distribute_timer
Linux Kernel Mailing List	V4L/DVB (13840): smsusb: Add ISDB-T firmware for Hauppauge WinTV-Nova-T-MiniStick
Linux Kernel Mailing List	Input: gpio-keys - add support for disabling gpios through sysfs
openbsd-misc:
Marco Peereboom	Re: Defending OpenBSD Performance
elitdostlar	Seks partneri arayan bayanlar bu adreste - 8878xs706x6438
Damon Schultz	Routing iTunes sharing across subnets using OpenBSD
Ashraf Cotu	Je sur comptable a la banque BCB je vais virée $6.million a la etranger
Chris Black	Re: carp, 2 router