Mailinglist Archive: opensuse-security (547 mails)
| < Previous | Next > |
Re: [suse-security] same ip for two interfaces
- From: "John Trickey" <jtrickey@xxxxxxx>
- Date: Sun, 5 Nov 2000 13:27:57 -0000
- Message-id: <002b01c0472c$56c10f80$1082a8c0@xxxxxxxxxxxxxxxxx>
> The whole thing is interesting from the academic standpoint. What would
> happen with two interfaces of the same IP?
Its not academic from a system administrator's point of view, s/he'd get a
headache :-)
Depending on the *nix, it would work. For example, Linux would cope but AIX3
would not or a least SMIT would not let you do it.
The real problem is that you have to sake such care in configuring your
hosts that it becomes a disaster waiting to happen. For example:
- You must specify all routing by device to ensure subnets are not assumed.
- If the DMZ network is not a maskable block, you are in to a route per
host.
- Either
all hosts on each of the identical interfaces must route to their
own subnet via the firewall if they wish to talk to the other part of the
subnet
or
the firewall must proxy arp for the hosts on the DMZ
- Broadcasting will only occur on one of the interfaces -- maybe!
There's probably a lot more but I hope that is enough to put you off.
Here is a version that will work.
Assigned address space assumed as 1.2.3.0/nn.
Interfaces Red=1.2.3.1, DMZ=10.0.0.1, Green=10.0.1.1.
DMZ_Hosts=10.0.0.0/24 plus alias on each host set to its assigned address.
All that now needs to be configured is the routing in the firewall for each
DMZ host. You also have a model that can be bolted down even tighter using
switch technology or forcing all traffic via the firewall.
Another option is to forget the aliassing and use one the address
translation facilities.
YMMV.
John
> happen with two interfaces of the same IP?
Its not academic from a system administrator's point of view, s/he'd get a
headache :-)
Depending on the *nix, it would work. For example, Linux would cope but AIX3
would not or a least SMIT would not let you do it.
The real problem is that you have to sake such care in configuring your
hosts that it becomes a disaster waiting to happen. For example:
- You must specify all routing by device to ensure subnets are not assumed.
- If the DMZ network is not a maskable block, you are in to a route per
host.
- Either
all hosts on each of the identical interfaces must route to their
own subnet via the firewall if they wish to talk to the other part of the
subnet
or
the firewall must proxy arp for the hosts on the DMZ
- Broadcasting will only occur on one of the interfaces -- maybe!
There's probably a lot more but I hope that is enough to put you off.
Here is a version that will work.
Assigned address space assumed as 1.2.3.0/nn.
Interfaces Red=1.2.3.1, DMZ=10.0.0.1, Green=10.0.1.1.
DMZ_Hosts=10.0.0.0/24 plus alias on each host set to its assigned address.
All that now needs to be configured is the routing in the firewall for each
DMZ host. You also have a model that can be bolted down even tighter using
switch technology or forcing all traffic via the firewall.
Another option is to forget the aliassing and use one the address
translation facilities.
YMMV.
John
| < Previous | Next > |