> From: "peter pajak" <[EMAIL PROTECTED]>
> Subject: Re: quad cards on firewalls
>
> not exactly, since all NICs on sun boxes always have the same mac address
> (burnt into the motherboard) all switches are designed to handle that all
> right. besides, all comunications start with the ip address being mapped to
> mac address by arp, so the switch port which has the ip address you want to
> talk to is being used as the communication channel anyway. in regard to the
> second part ask the guy what he means by compromisig the card. to do that
> one would have to have phisical access to the machine and that's another
> issue.
Sounds like an offshoot of the "switching hubs are not routers" thread.
(Despite the fact that switches are designed to isolate traffic between
ports, they don't _guarantee_ isolation from a security perspective.
Presumably this argument doesn't hold if the ports are on different
VLANs, but I don't speak for cisco.) I don't think the same concepts
would apply here -- there's a buffer on the QFE card, but no processing
intelligence to speak of, so nothing to compromise.
Also, Suns can be forced to generate different MAC addresses for each
interface by setting local-mac-address? to true in (recent versions of)
OBP. This is useful for doing things like putting two interfaces of
the same box on the same logical network, and it's sometimes required
for (older, arguably broken) HA software. Setting this parameter will
number the interfaces on a QFE card sequentially...which bothers me
conceptually (where's the guarantee that you don't have two cards that
are sequential to begin with??).
You can also set your MAC address to whatever suits your mood with
ifconfig, but be careful not to set the last bit of the first octet.
(If you do, you're using a multicast address...no harm done, really,
but probably not your intention and might cause surprises later.)
LAN admins don't like it if you set your MAC address to that of a
router, or a printer, etc.
To generate unique MAC addresses for each interface:
In OBP:
ok> setenv local-mac-address? true
From root shell:
# eeprom local-mac-address\?=true
To set your MAC address to whatever you want:
From root shell:
# ifconfig qfe0 ether 8:0:20:be:a:ca
Andrew
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
