|
OpenBSD Installation and Upgrading Installing and upgrading OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
Bind NIC/MAC to interface name
Hello,
I 'am new to openbsd (5.4), I have a little experience with linux and want to make my new firewall with bsd and pf. Under linux there was the possibility to bind a MAC Address with /etc/udev/rules.d/70-persistent-net.rules to a interface name. Do you know where I can find this in openbsd or how I can do this? thank you kind regards Lars Last edited by J65nko; 11th November 2014 at 03:42 AM. Reason: changed inteface to interface :) |
|
|||
Quote:
The lladdr option in ifconfig(8) may be what you are searching for... Quote:
Last edited by ocicat; 10th November 2014 at 06:21 AM. Reason: grammar |
|
||||
I will add that under Linux, this can make it problematic when moving a drive to a new machine. For example, in FreeBSD (I realize you're discussing open, but I think it's similar), the name depends upon the brand of NIC, for example, I think Broadcom is bge (I could be wrong, but let's say that's true.) If I move the drive to new hardware, it should boot and any complex network configs should remain in place--if it's a non-Broadcom NIC, I'll rename it from bge0 to whatever.
In contrast, if you move a drive from a RedHat based machine to a new machine, networking will have to be redone in udev and /etc/sysconfig/networking-scripts (or it will create new devices) The binding of the name to the MAC (and, these days, in CentOS and Fedora, at least, a long UUID), is not an advantage to the sysadmin in my less than humble opinion. |
|
|||
Hi,
thank you for the answers/welcome. The lladdr option could be a solution, I will check this. I have the following situation: 3 external Interfaces (MAC/IP) and one to the dmz. All interfaces are from the same manufacturer. The rules are very different for each interface, I have to be sure that for example fxp3 will be always fxp3. But if I remove one of these cards, a renumbering will happen. Example: If I remove fxp2 than fxp3 will get fxp2 which is not good. The rules for fxp2 will than be on the interface which should be fxp3 :-( Maybe I configured something wrong, but in my Openbsd installation the interface names are numbered through hardware order. |
|
||||
Hello, and welcome!
Quote:
We manage this through awareness, through the use of the ifconfig(8) description option in hostname.if(5) files, and through the use of macros in pf.conf(5) and other network provisioning files. Last edited by jggimi; 10th November 2014 at 01:56 PM. Reason: clarity |
|
||||
The lladdr option of ifconfig is for changing the MAC address. I don't think that's what the OP wanted to do, rather he wanted a given NIC (with a given MAC) to be assigned an interface name of his choice, without that assignment changing under certain hardware changes.
Last edited by IdOp; 10th November 2014 at 05:38 PM. Reason: clarity |
|
|||
Quote:
|
|
|||
Hi lars_d,
As Ocicat suggested, I think that the best way to prevent issues with pf and interface renaming is to use the group feature offered by ifconfig(8). You will find all details in the manpage. But to summarize, this feature allows you to place each of your NIS in one or more groups (ie. dmz, priv, etc), then you just have to use this group name in your pf.conf ruleset instead of the regular interface name. So it's not exactly the same thing as the Linux relation between the mac address and the OS's interface name, but it's far more powerfull ! I use it everyday in order to easily export my ruleset onto different systems. |
|
|||
Hi,
thanks for the answers and point to group and ifconfig(8). What I read for now is that "the group function" is meant to be to bundle interfaces of a specific type to a group. Maybe not what I need, because to my shame I have forgot to mention a few facts: My ISP do provide me static IP's through DHCP with MAC Address conjunction. So I want to serve two external DNS namesserver with 2 diffrent IP's and also my webserver to the internet with another IP. All servers are in a DMZ, so my plan was to use as external firewall a bsd machine with 4 interfaces 3 external and one internal (DMZ). But my latest guess was that I will need more internal interface in case of difficult routing or more firewall machines. Another point.... For interface groups: For me it is still not clear how I can be sure that an interface (for example fxp2) is not exchanged with another MAC/IP due to the fact of renumbering, even if it belongs to a group? So if MAC/IP 1 on fxp2 belongs to group DNS1 and MAC/IP 2 on fxp3 belogns to group DNS2, how can I be sure that if I remove fxp2 from the machine, that fxp3 will not get fxp2 and belongs than to group DNS1? OK not a problem if DNS1 and DNS2 provide the same namespace but if not... Is awareness or the lladdr option the only solution? Maybe I missed the point in the manpage of ifconfig. kind regards |
|
||||
Quote:
Quote:
Your idea of two firewalls is fairly common. Those solutions often look something like this: Code:
{Internet} - [fw1] - [DMZ servers] - [fw2] - [inner servers/workstations] And of course, fw1 would need a static route added to reach the inner subnet. The DMZ servers do not require the route added to their routing tables, but it would reduce traffic on the DMZ if they also had that route added, since they would otherwise have to route their traffic to the inner network through fw1 first. Quote:
Last edited by jggimi; 12th November 2014 at 10:59 AM. Reason: clarity, structure, and two typos |
|
||||
More on switches...
My home network has two firewalls and three switches, with a single ISP.
The ISP's gateway is connected to the outer switch: Code:
{Internet} [DOCSIS 3.0 modem]- [outer switch] Code:
[outer switch] - {firewalls} - [inner switch] Code:
[inner-switch] - {workstations and WiFi AP} - [living room switch] - {TV, media players} |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
BIND 10 is coming | J65nko | News | 3 | 4th March 2010 08:58 PM |
Problems setting up Bind | Zmyrgel | OpenBSD General | 5 | 18th February 2010 04:24 PM |
Bind-9.5 | Petrocelli08 | FreeBSD Ports and Packages | 6 | 29th January 2009 12:03 AM |
Transmission web inteface start when system boot | mfaridi | FreeBSD Ports and Packages | 2 | 27th September 2008 06:53 AM |
BIND as secondary for Windows DNS? | cwhitmore | FreeBSD Installation and Upgrading | 7 | 16th May 2008 01:13 PM |