| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jul 2011 21:38:51 -0500
From: "Greg Scott" <GregScott@...rasupport.com>
To: "David Lamparter" <equinox@...c24.net>
Cc: "Stephen Hemminger" <shemminger@...tta.com>,
<netdev@...r.kernel.org>,
"Lynn Hanson" <LynnHanson@...anhills.org>,
"Joe Whalen" <JoeWhalen@...anhills.org>
Subject: RE: Bridging behavior apparently changed around the Fedora 14 time
> If I understand your setup correctly, you have:
>
> (servers)
> |
> +--------[eth0 <-br0-> eth1]------- internet
> |
> (clients)
Close. Here's a better ASCII art picture. There aren't really any
internal-->external clients.
Internet firewall Private LAN
----------------+******+---------+-------+
eth0 eth1 NATed H.323
Bridge br0 servers devices
The H.323 devices work better if they have real, public IP Addresses.
I've done them with NAT, but H.323 just works better if the devices
"think" they're directly connected to the Internet. All the servers are
all on the physical private LAN side, physically behind the firewall.
> Why not proxy ARP?
I used to use proxy ARP until I got burned really badly with what proxy
ARP really does - the NIC answers ARP requests (in proxy) for everyone
and anyone that asks with its own MAC address. Think about that - proxy
ARP impersonates everyone and anyone on the LAN to which it's connected.
I had one of these in a colo center and for several hours, my box
Proxy-ARPed everyone and anyone on that same public network. I don't
even like to think about how many public webservers I unintentionally
messed with that day. Oh yes - and to make matters worse, that customer
had an IP load balancer behind my box nobody told me about and proxy ARP
messed that up too. The stupid load balancer wouldn't clear its ARP
cache and had to be rebooted - and that took down a major website and
pretty much blew my only chance to do business with this customer. All
in all, not one of my better days. I decided right then and there, no
more proxy ARP.
Bridging turns out to be a much cleaner and more polite way to do it.
Don't believe all the forum comments about the wonders of proxy-ARP.
> Why not use a VLAN?
Because I really don't need one. Plus it doesn't matter anyway - the
firewall can act as a router on a stick to go between my H.323 devices
and private IP servers. With or without VLANs makes no difference in
this case.
> You have a bit of a Frankennet there
I don't think so. I have a single LAN with a couple of devices that
need public IP Addresses. This isn't that unusual. I have lots of
other sites doing it this way.
> I must say that your bug report sounds more like a
> forwarding-back-to-source-device IP-level problem.
I don't think it's an IP level problem. I think it's a layer 2 problem
- and now I think the problem is, bridging is supposed to turn on
PROMISC mode and it didn't. I had to do it by hand myself. I never
paid attention to whether or not PROMISC mode was turned on with any of
the other ones like this I've done and never had a problem with it until
this one. And as soon as I turned on PROMISC mode by hand, everything
worked as it should. If it was an IP problem, or routing problem, or
ruleset/filtering problem, why would PROMISC mode make any difference
one way or the other?
What I don't know yet is, is this a Fedora bug or a stock kernel bug?
Is anyone from Red Hat following this email list?
I think I will take a look at a few of my other bridged sites running
earlier versions and see if they turn on PROMISC mode on their bridged
NICs.
- Greg
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists