On Fri, 7 Nov 2008, Harald Dunkel wrote:
>Peter N. M. Hansteen wrote:
>> Harald Dunkel <[EMAIL PROTECTED]> writes:
>>
>>> Sorry to wake this thread up again, but this problem is a severe
>>> security risk. IMHO it is unacceptable that a hardware failure on
>>> one NIC of a firewall can put the whole network at risk, just because
>>> the mapping between NICs and interface names gets mixed up, and PF
>>> suddenly treats the Internet as a subnet of the company LAN.
>>
>> Semi-random reordering of network interfaces would be a severe
>> problem, no doubt. However, my hazy memory was that reordering would
>> not occur as you describe, but ICBW, please correct me if this has
>> actually been demonstrated to happen.
>
>I can post 2 dmesg logs of the same machine with the NIC
>names mixed up. Somehow 2 NICs disappeared on a reboot. On
>the next reboot they were back. Attached is the diff.
>
>In the bad configuration the NIC with 00:30:48:d2:9a:06 is
>called "em2", in the good one it is called "em4". Maybe you
>can imagine how PF screws up, if this NIC would have been
>physically connected to the Internet.
>
>Surely it is unusual that a NIC "disappears" somehow. Maybe
>there is something wrong with my hardware, but this can always
>happen. I would like to have a secure setup even if there is a
>hardware failure.
Network configuration has bugged me a bit ever since I started using
OpenBSD, not just the real security issue that Harald Dunkel points out
but general ease of administration issues. For example, on a typical
single-NIC system one ought to be able to set up a standard
configuration and not care which make/model of NIC is installed.
Perhaps most of these issues could be dealt with by changing the network
configuration procedure to have a hierarchy of interface-configuration
files rather than just hostname.<interface-name>. If hostname.<mac>
were used if the hardware MAC matches, then hostname.<interface-name>,
then (say) hostname.only if there's only one NIC found, the sysadmin
could assign interfaces to groups and use those group names everywhere,
and so not need to use the actual interface names at all.
This appears to be a fairly simple change. Does it sound reasonable to
people with more knowledge of OpenBSD networking?
Dave
--
Dave Anderson
<[EMAIL PROTECTED]>
