[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: Re: [m0n0wall] How to subnet OPT1 and still offer DHCP for each subnet?
 Date:  Mon, 23 Aug 2004 22:46:59 -0700 (PDT)
On Thu, 19 Aug 2004, Joe Lagreca wrote:
> On Thu, 19 Aug 2004 18:06:51 -0700 (PDT), Fred Wright <fw at well dot com> wrote:
> > 
> > While m0n0wall doesn't have direct support for IP aliases (it uses the
> > term "alias" to mean something entirely different), you can set it up with
> > the <shellcmd> facility in the config.  E.g. (in the <system> section):
> > 
> >        <shellcmd>ifconfig sis0 alias 10.1.1.1/24</shellcmd>
> >        <shellcmd>ifconfig sis0 alias 10.1.2.1/24</shellcmd>
> > 
> > where the "sis0" should be the name of the LAN interface.
> 
> My OPT1 interface should look like this:
> <opt1>
> 	<descr>OPT1</descr>
> 	<if>xl2</if>
> 	<ipaddr>10.1.0.1</ipaddr>
> 	<subnet>24</subnet>
> 	<bridge/>
> 	<enable/>
> </opt1>
> 
> Should my first command (this is in the config.xml file correct???)
> look like this:
> <shellcmd>ifconfig xl2 alias 10.1.1.1/24</shellcmd>
> or like this:
> <shellcmd>ifconfig opt1 alias 10.1.1.1/24</shellcmd>

The former - ifconfig doesn't know anything about m0n0wall's interface
names.

> I have an idea of what all this does, but please check it over and let
> me know if its the right idea:
> 
> This will basicly bind an IP address to the OPT1 interface.  So I will
> just bind as many IP's to the OPT1 interface as I have
> subnets/clients?  Then on the client end, make their gateway the IP
> that I have binded for them to OPT1?  Will all of the subnets bound to
> OPT1 have to follow the rules applied in the firewall for OPT1?
> 
> How about traffic shaping?  Will I be able to shape each individual
> subnet or only OPT1 as a whole?

All of those things are a function of how you specify the IP addresses in
the rules.  Note that there's no defense against one client spoofing
another's IP, so "cheating" is possible.  If that kind of security is an
issue, then you really do need separate *physical* interfaces for each
client.  Note that multiport NICs count as multiple physical interfaces.

> Configured as stated above, if a windows machine on subnet 1 were to
> go to their network neighborhood, they would only see other machines
> on subnet 1 and not on any other subnet (because broadcast traffic is
> only within their subnet)?

Correct.

> However if they specifically put in an IP address on another subnet
> they would have access to it?

Trivially, no, because their machine wouldn't have a routing entry for
it.  But such an entry could be created easily enough, or even
automatically via ICMP Redirect from the m0n0wall.  So don't count on lack
of routing for security.

> > It should be possible to configure firewall rules to control routing
> > between the subnets, but by default everything will be passed by the
> > default LAN rule.  And of course it doesn't prevent the subnets from
> > communicating directly, with what's usually a simple routing entry, so
> > don't count on this setup for security.
> 
> Again, please correct my logic of the security portion of this idea:
> 
> I can create rules on the firewall to prevent each subnet from talking
> to each other.  However if a user on another subnet adds a routing
> entry on their end to allow them access to one of the other subnets I
> cannot stop them?

That's correct (almost), and in addition, at the time I wrote the above, I
failed to note that ICMP Redirect isn't fine-grained, so once *any*
traffic is routed between clients, the resulting routing entries would
allow *all* traffic between those clients.

The "almost" is because in order to get *round-trip* traffic between two
clients bypassing the m0n0wall, *both* would need routing entries.  This
makes doing it manually a bit harder, though spoofing a *local* ICMP
Redirect isn't difficult.

And if you think a switch provides any security, read up on "ARP
Spoofing". :-)

					Fred Wright