Re: [gentoo-user] ebtables on Gentoo?
On 30/01/13 05:14, Kevin Chadwick wrote: >> So anyway, my memory of this is all very wishy-washy, but ebtables >> turned out to be the best way to implement those inter-VM restrictions. >> It could probably have been done in iptables, but ebtables made it easy >> to say "don't let these two talk." > > I don;t know the details but I expect that would be a false sense of > security and that you would want a secure switch or ssh or ipsec. > Put each vm into its own private vlan and use a firewall on the host to control traffic between them ... seems a better way to go! BillK
Re: [gentoo-user] ebtables on Gentoo?
> So anyway, my memory of this is all very wishy-washy, but ebtables > turned out to be the best way to implement those inter-VM restrictions. > It could probably have been done in iptables, but ebtables made it easy > to say "don't let these two talk." I don;t know the details but I expect that would be a false sense of security and that you would want a secure switch or ssh or ipsec. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: [gentoo-user] ebtables on Gentoo?
On 01/29/2013 09:45 AM, James wrote: > Hello, > > From here: http://ebtables.sourceforge.net/ > > > We read: > The ebtables tool can be combined with the other Linux filtering tools > (iptables, ip6tables and arptables) to make a bridging firewall that is also > capable of filtering these higher network layers. This is enabled through the > bridge-netfilter architecture which is a part of the standard Linux kernel. > > > Can someone explain to me when/how you would use ebtables > for enhanced security, or forward me to a good written > presentation on when, why or how to deploy ebtables? > Maybe a package already blends these components together? > I recently saw ebtables pop up in a commercial product > ( sniffed terminal boot session) offered by Seimens.. > tl;dr ebtables makes it easy to isolate your interfaces in an unsafe environment. This was over a year ago, and the project fell through, so this is just from memory: We were planning on hosting a very insecure electronic health thingy that "needs to run on a server" (if you want support). The doctors who use it don't have the expertise to maintain it, and the people who sell it didn't have the expertise to do much of anything in my opinion. Since it was "just" a java web application, the servers didn't need to be powerful. But for HIPAA (and my own peace of mind) we wanted the servers to be as isolated as possible. We decided on using KVM virtual machines, each bridged through to its own public IP address on the host. For preventing *external* traffic, iptables is fine. We obviously don't want the RDP ports open to the world, for example. But how do we prevent one VM instance from communicating with another? One doctor's office shouldn't be able to connect to another office's server. If Dr. Foo notices that he can crash his application by entering nonsense into the login form, then he might suppose that he could crash Dr. Bar's application by doing the same thing. So anyway, my memory of this is all very wishy-washy, but ebtables turned out to be the best way to implement those inter-VM restrictions. It could probably have been done in iptables, but ebtables made it easy to say "don't let these two talk."
Re: [gentoo-user] ebtables on Gentoo?
On Tue, Jan 29, 2013 at 9:45 AM, James wrote: > Hello, > > From here: http://ebtables.sourceforge.net/ > > > We read: > The ebtables tool can be combined with the other Linux filtering tools > (iptables, ip6tables and arptables) to make a bridging firewall that is also > capable of filtering these higher network layers. This is enabled through the > bridge-netfilter architecture which is a part of the standard Linux kernel. > > > Can someone explain to me when/how you would use ebtables > for enhanced security, or forward me to a good written > presentation on when, why or how to deploy ebtables? > Maybe a package already blends these components together? > I recently saw ebtables pop up in a commercial product > ( sniffed terminal boot session) offered by Seimens.. > > > Of keen interest is documentation/experiences on the > Gentoo platform when using ebtables. Googling has provided little. > > > curiously, > James > > iptables and ip6tables operate at the data layer, layer 3. ebtables operates at the link layer, layer 2. This is really the best explanation I can offer, as I haven't used ebtables myself: http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg -- :wq
[gentoo-user] ebtables on Gentoo?
Hello, >From here: http://ebtables.sourceforge.net/ We read: The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel. Can someone explain to me when/how you would use ebtables for enhanced security, or forward me to a good written presentation on when, why or how to deploy ebtables? Maybe a package already blends these components together? I recently saw ebtables pop up in a commercial product ( sniffed terminal boot session) offered by Seimens.. Of keen interest is documentation/experiences on the Gentoo platform when using ebtables. Googling has provided little. curiously, James