On 01/29/2013 09:45 AM, James wrote: > Hello, > > From here: http://ebtables.sourceforge.net/ > > > We read: > The ebtables tool can be combined with the other Linux filtering tools > (iptables, ip6tables and arptables) to make a bridging firewall that is also > capable of filtering these higher network layers. This is enabled through the > bridge-netfilter architecture which is a part of the standard Linux kernel. > > > Can someone explain to me when/how you would use ebtables > for enhanced security, or forward me to a good written > presentation on when, why or how to deploy ebtables? > Maybe a package already blends these components together? > I recently saw ebtables pop up in a commercial product > ( sniffed terminal boot session) offered by Seimens...... >
tl;dr ebtables makes it easy to isolate your interfaces in an unsafe environment. This was over a year ago, and the project fell through, so this is just from memory: We were planning on hosting a very insecure electronic health thingy that "needs to run on a server" (if you want support). The doctors who use it don't have the expertise to maintain it, and the people who sell it didn't have the expertise to do much of anything in my opinion. Since it was "just" a java web application, the servers didn't need to be powerful. But for HIPAA (and my own peace of mind) we wanted the servers to be as isolated as possible. We decided on using KVM virtual machines, each bridged through to its own public IP address on the host. For preventing *external* traffic, iptables is fine. We obviously don't want the RDP ports open to the world, for example. But how do we prevent one VM instance from communicating with another? One doctor's office shouldn't be able to connect to another office's server. If Dr. Foo notices that he can crash his application by entering nonsense into the login form, then he might suppose that he could crash Dr. Bar's application by doing the same thing. So anyway, my memory of this is all very wishy-washy, but ebtables turned out to be the best way to implement those inter-VM restrictions. It could probably have been done in iptables, but ebtables made it easy to say "don't let these two talk."
