[gentoo-user] ebtables on Gentoo?

[gentoo-user] ebtables on Gentoo?

[James]

Hello,
 
From here: http://ebtables.sourceforge.net/


We read:
The ebtables tool can be combined with the other Linux filtering tools
(iptables, ip6tables and arptables) to make a bridging firewall that is also
capable of filtering these higher network layers. This is enabled through the
bridge-netfilter architecture which is a part of the standard Linux kernel. 


Can someone explain to me when/how you would use ebtables
for enhanced security, or forward me to a good written
presentation on when, why or how to deploy ebtables?
Maybe a package already blends these components together?
I recently saw ebtables pop up in a commercial product 
( sniffed terminal boot session) offered by Seimens......


Of keen interest is documentation/experiences on the 
Gentoo platform when using ebtables. Googling has provided little.


curiously,
James

Re: [gentoo-user] ebtables on Gentoo?

[Michael Mol]

On Tue, Jan 29, 2013 at 9:45 AM, James <wireless@tampabay.rr.com> wrote:
> Hello,
>
> From here: http://ebtables.sourceforge.net/
>
>
> We read:
> The ebtables tool can be combined with the other Linux filtering tools
> (iptables, ip6tables and arptables) to make a bridging firewall that is also
> capable of filtering these higher network layers. This is enabled through the
> bridge-netfilter architecture which is a part of the standard Linux kernel.
>
>
> Can someone explain to me when/how you would use ebtables
> for enhanced security, or forward me to a good written
> presentation on when, why or how to deploy ebtables?
> Maybe a package already blends these components together?
> I recently saw ebtables pop up in a commercial product
> ( sniffed terminal boot session) offered by Seimens......
>
>
> Of keen interest is documentation/experiences on the
> Gentoo platform when using ebtables. Googling has provided little.
>
>
> curiously,
> James
>
>

iptables and ip6tables operate at the data layer, layer 3.

ebtables operates at the link layer, layer 2.

This is really the best explanation I can offer, as I haven't used
ebtables myself:

http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg


--
:wq

[gentoo-user] Re: ebtables on Gentoo?

[James]

Michael Mol <mikemol <at> gmail.com> writes:



> iptables and ip6tables operate at the data layer, layer 3.
> ebtables operates at the link layer, layer 2.

> http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

Nice diagram.....

I'm surveying what's new/available for wired and wireless networks.
Both to secure them and then analyze both sides of the interface.

http://airmagnet.flukenetworks.com/products/demo/


I did find this android app for simple problem resolution:

http://a.farproc.com/wifi-analyzer

thx,
james

Re: [gentoo-user] ebtables on Gentoo?

[Michael Orlitzky]

On 01/29/2013 09:45 AM, James wrote:
> Hello,
>  
> From here: http://ebtables.sourceforge.net/
> 
> 
> We read:
> The ebtables tool can be combined with the other Linux filtering tools
> (iptables, ip6tables and arptables) to make a bridging firewall that is also
> capable of filtering these higher network layers. This is enabled through the
> bridge-netfilter architecture which is a part of the standard Linux kernel. 
> 
> 
> Can someone explain to me when/how you would use ebtables
> for enhanced security, or forward me to a good written
> presentation on when, why or how to deploy ebtables?
> Maybe a package already blends these components together?
> I recently saw ebtables pop up in a commercial product 
> ( sniffed terminal boot session) offered by Seimens......
> 

tl;dr ebtables makes it easy to isolate your interfaces in an unsafe
environment.

This was over a year ago, and the project fell through, so this is just
from memory:

We were planning on hosting a very insecure electronic health thingy
that "needs to run on a server" (if you want support). The doctors who
use it don't have the expertise to maintain it, and the people who sell
it didn't have the expertise to do much of anything in my opinion.

Since it was "just" a java web application, the servers didn't need to
be powerful. But for HIPAA (and my own peace of mind) we wanted the
servers to be as isolated as possible. We decided on using KVM virtual
machines, each bridged through to its own public IP address on the host.

For preventing *external* traffic, iptables is fine. We obviously don't
want the RDP ports open to the world, for example. But how do we prevent
one VM instance from communicating with another? One doctor's office
shouldn't be able to connect to another office's server. If Dr. Foo
notices that he can crash his application by entering nonsense into the
login form, then he might suppose that he could crash Dr. Bar's
application by doing the same thing.

So anyway, my memory of this is all very wishy-washy, but ebtables
turned out to be the best way to implement those inter-VM restrictions.
It could probably have been done in iptables, but ebtables made it easy
to say "don't let these two talk."

Re: [gentoo-user] ebtables on Gentoo?

[Kevin Chadwick]

> So anyway, my memory of this is all very wishy-washy, but ebtables
> turned out to be the best way to implement those inter-VM restrictions.
> It could probably have been done in iptables, but ebtables made it easy
> to say "don't let these two talk."

I don;t know the details but I expect that would be a false sense of
security and that you would want a secure switch or ssh or ipsec.

-- 
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)
_______________________________________________________________________

Re: [gentoo-user] ebtables on Gentoo?

[William Kenworthy]

On 30/01/13 05:14, Kevin Chadwick wrote:
>> So anyway, my memory of this is all very wishy-washy, but ebtables
>> turned out to be the best way to implement those inter-VM restrictions.
>> It could probably have been done in iptables, but ebtables made it easy
>> to say "don't let these two talk."
> 
> I don;t know the details but I expect that would be a false sense of
> security and that you would want a secure switch or ssh or ipsec.
> 

Put each vm into its own private vlan and use a firewall on the host to
control traffic between them ... seems a better way to go!

BillK