[VLAN] VLAN issue - other IP's discovered across VLANS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Just one more question.
In Vlan version history it mentions support for changing MAC. Is that 
recommended to tighten security.
If I apply arp filter on the MAC address, will that not affect all interfaces?
I have also not found a good example of changing MAC in virtual interfaces 
with the vconfig command.

/MartOn


On Friday 10 November 2006 01:31, Peter Stuge wrote:
> On Thu, Nov 09, 2006 at 11:04:19PM +0100, Frode Marton Meling wrote:
> > Hello
> > I have a server setup with the following network config:
> >
> > Default	eth0		- 192.168.100.1 255.255.255.0
> > GW:192.168.100.254
> > VLAN2	eth0.2	- 0.0.0.2 255.255.255.255
> > VLAN3	eth0.3	- 0.0.0.3 255.255.255.255
> > VLAN4	eth0.4	- 0.0.0.4 255.255.255.255
> >
> > The reason for this is that I run VMWare server and the other VLANS
> > are used by the VMWare server.. Without setting any IP, I got
> > errors..
>
> That should not happen. It's perfectly legal to not have an IP
> address configured on an interface, and if you're bridging it may
> even interfere.
>
> > I have a VLAN truck from my HP-managed switch. All VLANS tagged
> > except Default VLAN (I have tried this with tagging on Default
> > VLAN also).
>
> Default VLAN or the native VLAN is untagged by definition, right?
>
> > If I add my linux desktop to VLAN4 and do a netdiscover, it will
> > find the 192.168.100.1 (I can not access it, but since it is
> > detectable from outside, it is a risk).
>
> I'm not sure I agree with your risk analysis, but let's stick to the
> point:
>
> netdiscover floods ARP requests for all private IP addresses. Your
> Linux VLAN box replies even though the request is coming in on a
> interface with a different address than the one in the request. Linux
> does this by default.
>
> Read more about rp_filter and arp_filter in
> /usr/src/linux/Documentation/networking/ip-sysctl.txt or consider
> implementing firewall rules to ensure your system behaves as
> intended.
>
> Hope this helps!
>
>
> //Peter
> _______________________________________________
> Vlan mailing list
> Vlan@xxxxxxxxxxxxxxx
> http://www.candelatech.com/mailman/listinfo/vlan
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux