> >Peter N. M. Hansteen wrote: > >> Harald Dunkel <[EMAIL PROTECTED]> writes: > >> > >>> Sorry to wake this thread up again, but this problem is a severe > >>> security risk. IMHO it is unacceptable that a hardware failure on > >>> one NIC of a firewall can put the whole network at risk, just because > >>> the mapping between NICs and interface names gets mixed up, and PF > >>> suddenly treats the Internet as a subnet of the company LAN. > >> > >> Semi-random reordering of network interfaces would be a severe > >> problem, no doubt. However, my hazy memory was that reordering would > >> not occur as you describe, but ICBW, please correct me if this has > >> actually been demonstrated to happen. > > > >I can post 2 dmesg logs of the same machine with the NIC > >names mixed up. Somehow 2 NICs disappeared on a reboot. On > >the next reboot they were back. Attached is the diff. > > > >In the bad configuration the NIC with 00:30:48:d2:9a:06 is > >called "em2", in the good one it is called "em4". Maybe you > >can imagine how PF screws up, if this NIC would have been > >physically connected to the Internet. > > > >Surely it is unusual that a NIC "disappears" somehow. Maybe > >there is something wrong with my hardware, but this can always > >happen. I would like to have a secure setup even if there is a > >hardware failure. > > Network configuration has bugged me a bit ever since I started using > OpenBSD, not just the real security issue that Harald Dunkel points out > but general ease of administration issues. For example, on a typical > single-NIC system one ought to be able to set up a standard > configuration and not care which make/model of NIC is installed.
You are joking right? In that case you use the "egress" interface group. It works perfectly on all machines with one network interface, and follows the default route. Or would you rather use eth0? > Perhaps most of these issues could be dealt with by changing the network > configuration procedure to have a hierarchy of interface-configuration > files rather than just hostname.<interface-name>. Oh, like eth0 and eth1 and eth2? > If hostname.<mac> > were used if the hardware MAC matches, then hostname.<interface-name>, > then (say) hostname.only if there's only one NIC found, the sysadmin > could assign interfaces to groups and use those group names everywhere, > and so not need to use the actual interface names at all. So right now you have hardware that is disappearing. What happens when you get hardware where the MAC reading is not 100% reliable. New problem, and a new solution? > This appears to be a fairly simple change. Does it sound reasonable to > people with more knowledge of OpenBSD networking? No, it is not reasonble. You are inventing problems at a very high level just because some very low level pci-related bug is making some of your devices not reliably show themselves.
