Harald Dunkel <[EMAIL PROTECTED]> writes: > I can post 2 dmesg logs of the same machine with the NIC > names mixed up. Somehow 2 NICs disappeared on a reboot. On > the next reboot they were back. Attached is the diff.
Dodgy hardware does lead to problems, certainly. The basic problem here is that the system enumerates only the hardware it is able to contact and identify, and units of the same type are assigned an identifier equal to driver name plus a sequence number. Unless we make some other unique identifier part of the way PF evaluates rules (the MAC address comes to mind, but that too can be changed in any modern operating system), there is no quick fix, other than rewriting your rule set so it avoids 'on' criteria and other hardware specifics wherever possible. The other immediately available workaround would be to make sure you build your system so no two network interfaces will use the same driver. That earns you the interesting tradeoff of handling a number of suppliers roughly equal to the number of interfaces installed in case of hardware failure, with the likely consequence of having to stock N times as many different spares in case of failures. > Surely it is unusual that a NIC "disappears" somehow. Maybe > there is something wrong with my hardware, but this can always > happen. I would like to have a secure setup even if there is a > hardware failure. Hardware failures will occur occasionally. Depending on your local security assessment there are a number of variables at play here, and it can be convincingly argued that you should have spare parts on hand, along with a proper monitoring regime and procedures that will have you replace faulty hardware before the scenario you describe occurs. On the other hand, it would be interesting to see how competing systems handle this scenario, if at all. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
