From owner-freebsd-net@FreeBSD.ORG Fri Sep 3 19:55:40 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51E1D16A4CE for ; Fri, 3 Sep 2004 19:55:40 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23FDF43D41 for ; Fri, 3 Sep 2004 19:55:40 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id i83JtdH3005891; Fri, 3 Sep 2004 12:55:39 -0700 (PDT) Received: from [10.1.1.245] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)i83JtbCv017492; Fri, 3 Sep 2004 12:55:37 -0700 (PDT) In-Reply-To: <41384D4C.9030209@bronzedragon.net> References: <413763C1.90208@bronzedragon.net> <1B4160E2-FD0E-11D8-A54A-003065A20588@mac.com> <41384D4C.9030209@bronzedragon.net> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <391BC614-FDE3-11D8-896C-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Fri, 3 Sep 2004 15:55:36 -0400 To: RRrp Toren X-Mailer: Apple Mail (2.619) cc: freebsd-net@freebsd.org Subject: Re: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 19:55:40 -0000 On Sep 3, 2004, at 6:54 AM, RRrp Toren wrote: >> What you're trying to do work actually give you much benefit to >> security: someone who wants to break in doesn't have to pay attention >> to the DHCP lease you give them, they can just assign themselves a >> good 10.0.0.x address. > I am not a believer in the idea that the only good solution is the > 100% solution. I like the multi-layering of 80% solutions. Tha's fine. There are plenty of cases where a perfect solution does not exist, but an OK solution is good enough to still be worthwhile. However... > The IP addresses here were picked for demonstration purposes. The > actuals set can come from anywhere within the RFC 1918 network > numbers. So picking a good IP the 1st time, in the blind, is like > shooting a bullseye on the first shot in a pitchblack range you just > stepped into. ...someone who can see the traffic going by using packet sniffing doesn't have to guess blindly. And it's not just spoofing IP addrs that is possible, it is entirely possible to spoof a valid MAC address, *IF* the bad guys can see 'em. >> The second problem you are having is that you can't have two NIC on >> the same subnet. The routing table needs interfaces to be unique so >> it doesn't have to guess which route should be used. > If this is a FreeBSD implementation restriction, then so be it. I > have always thought routers could service a large subnet with multiple > interfaces. And that FreeBSD could be configured as a router. A normal router, ie one using the standard routing table semantics, only has one interface per subnet, and each subnet ought to be disjoint. Many systems besides FreeBSD implement the same restriction but simply ignore a second NIC, or treat it and any IP configured on it the way they would handle configuring a virtual interface on the first NIC with a second IP. FreeBSD also supports more complicated routing protocols that support multiple redundant paths, dynamic routing, policy-based routing rather than having the destination be the only variable when making routing decisions, etc-- using software like gated, zebra, quagga, or even IPFW fwd statements. Few people have a complex network topology which needs to use such things, and static routing or RIPv1/2 serves most people just fine. -- -Chuck