Re: Extra "Grey" interfaces on IpFire

Re: Extra "Grey" interfaces on IpFire

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5155 bytes --]

Hi,

> On 25 Sep 2019, at 16:12, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
> 
> Dear Michael,
> 
> thanks for getting back to me. 
> Right now i am not sure if i saw you post in the german subsection of the ipfire Forum hence i stick to english :) 

Yes, but this list is English only. You also forgot to copy it.

> My use case would look like this: 
> 
> I as a <SuperUser in a SOHO environment>
> want to <have the Option to add more physical Interfaces (suggested Name "Grey") to the Hardware of the ipfire and configure them via the GUI. I want them to be sperated by the rest of the Networks by Default as a safe area. I want the option to configure individually (read as: allow) all offered Services (like DHCP, DNS, Red Access, Port forwarding, etc.) to be accessible from devices in this new physical Network.>. 
> My intended use is <a safe Network area, to use as a Kind of test lab, wich has Internet Access, but is otherwise entirely seperated from green, blue and orange. There i can try out new Things, products and Setup machines/devices that maybe compromised by a Virus or malware. This works by plug and Play, as the Network ports in the area are connected to their own seperate Switch. The Switch has an uplink to the Grey Interface on the ipfire with in return provices red Access, dhcp, etc. >. 

Why - under any circumstances - would you connect a machine that has malware on it to a network?

> Role  Definition "SuperUser":
> Not an full Administrator, but motivated home user. Curious, able to read up on a few wikis and how tos, but 95%windows user. No experince with Linux Systems or their adminstration. Maintains the other Networks on a rudimentary Level (file Server in green, mail Server in orange and the WDS infrastructure in blue). 
> 
> 
> Environment Definition "SoHo": 
> Approx 10-15 machines in total, with less then 10 active at any given time. A very large home Office.
> 
> 
> My personal Setup and reason for asking for this Feature: 
> I have used IPcop over the years and have my Network set up to ist interaces, including Grey. I made the Switch to ipfire due to ipcops end of life. My Basement is Setup on a Grey Segment, i have the ports connected to a Switch and that Switch is connected to the Firewall. there i set up new machines when i Need to do so, reinstall or try to help friends and neighbours with machiens of unknown protection Level and smimilar. I find this Feature to be very Handy indeed. And since an ipcop add on exists/existed - i had the high hopes it would be possible to Transfer the functionally into ipfire. 
> 
> 
> For a larger Company Network i understand the risk of creating a Singe Point of failure, but want to put forth that most likely a backup Hardware solution will be hept  at the ready. In my SoHo Environment that would be less of an issue, while it would certainly suck and blow at the  same time, it would be managable. 
> 
> I would apprecaite it if you find the time to look into the matter  if a gui based Feature similar to this use case can be included in ipfire. Even with the Speed drawback (especially when compared to a single Switch with vlans), the ease of use and implementation is worth the trade off. 

I will definitely not have time to take on this project. We are already years behind with roadmaps of all kinds of projects and I have pledged at the last developer summit to not take on anything else before at least a good number of the open things are done.

But I can of course help out and advice.

Best,
-Michael

> 
> Thanks a lot in advance.
> 
> yours sincerely,
> 
> Klaus 
> 
> 
> 
> ----- Original Message -----
> From: Michael Tremer [mailto:michael.tremer(a)ipfire.org]
> To: Klaus Gimm [mailto:teclis22(a)schatten-welt.de]
> Cc: development(a)lists.ipfire.org
> Subject: Re: Extra "Grey" interfaces on IpFire
> 
> 
>> Hi Klaus,
>> 
>> Thanks for your email.
>> 
>> First of all, I would like to point out that it might be a very bad idea to
>> add too many interfaces to the firewall. It will make it a big single-point
>> of failure and very often a switch can route traffic between networks much
>> more efficiently. Firewalls are always slow.
>> 
>> However, you can just add more interfaces on the console and use them in the
>> firewall by creating a subnet.
>> 
>> What would be your use-case for this?
>> 
>> -Michael
>> 
>>> On 24 Sep 2019, at 15:30, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
>>> 
>>> Dear Sir or Madam,
>>> 
>>> as a Long time ipcop user i had installed this add on for a Long time and
>> it
>>> worked great for me: 
>>> 
>>> http://www.ban-solms.de/t/IPCop-xtiface.html
>>> 
>>> After the Switch to Ipfire as the follow-up Project to ipcop i do miss it
>>> dearly. 
>>> 
>>> 
>>> Is it possible to implement this functionality into IpFire? I am
>>> unfortunatley not a developer so i cant adjust the package or redesign it.
>> 
>>> 
>>> Is there a ticket somewhere to suggest Features for developement? 
>>> 
>>> Thanks a lot in advance.
>>> 
>>> Yours sincerely
>>> 
>>> Klaus 
>> 
>> 
>> 

AW: Extra "Grey" interfaces on IpFire

[KMG]

[-- Attachment #1: Type: text/plain, Size: 6368 bytes --]

Hi there,

>Yes, but this list is English only. You also forgot to copy it.

Fixed now. Thanks for the hint. Never used mailing lists much :/

> Why - under any circumstances - would you connect a machine that has
malware on it to a network?

Since the networks are entirely septerated due tot he firewall. I really
just need the web access. A 2nd ISP contract is not an option unfortunately.



>I will definitely not have time to take on this project. We are already
years behind with roadmaps of all kinds of projects and I >have pledged at
the last developer summit to not take on anything else before at least a
good number of the open things are >done.

Wow. Wasnt aware of such a long to do list. You guys do great though.
Considered it is all in addition to your day job. I cant even manage to
maintain a gym membership . 

>But I can of course help out and advice.

Thanks a lot for your assistance. I will start reading up on the subnets or
maybe i can use vlans to  get the functionality going. 

Best regards

Klaus 

-----Ursprüngliche Nachricht-----
Von: Michael Tremer <michael.tremer(a)ipfire.org> 
Gesendet: Mittwoch, 25. September 2019 17:37
An: Klaus Gimm <teclis22(a)schatten-welt.de>
Cc: development <development(a)lists.ipfire.org>
Betreff: Re: Extra "Grey" interfaces on IpFire

Hi,

> On 25 Sep 2019, at 16:12, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
> 
> Dear Michael,
> 
> thanks for getting back to me. 
> Right now i am not sure if i saw you post in the german subsection of 
> the ipfire Forum hence i stick to english :)

Yes, but this list is English only. You also forgot to copy it.

> My use case would look like this: 
> 
> I as a <SuperUser in a SOHO environment> want to <have the Option to 
> add more physical Interfaces (suggested Name "Grey") to the Hardware of
the ipfire and configure them via the GUI. I want them to be sperated by the
rest of the Networks by Default as a safe area. I want the option to
configure individually (read as: allow) all offered Services (like DHCP,
DNS, Red Access, Port forwarding, etc.) to be accessible from devices in
this new physical Network.>.
> My intended use is <a safe Network area, to use as a Kind of test lab,
wich has Internet Access, but is otherwise entirely seperated from green,
blue and orange. There i can try out new Things, products and Setup
machines/devices that maybe compromised by a Virus or malware. This works by
plug and Play, as the Network ports in the area are connected to their own
seperate Switch. The Switch has an uplink to the Grey Interface on the
ipfire with in return provices red Access, dhcp, etc. >. 

Why - under any circumstances - would you connect a machine that has malware
on it to a network?

> Role  Definition "SuperUser":
> Not an full Administrator, but motivated home user. Curious, able to read
up on a few wikis and how tos, but 95%windows user. No experince with Linux
Systems or their adminstration. Maintains the other Networks on a
rudimentary Level (file Server in green, mail Server in orange and the WDS
infrastructure in blue). 
> 
> 
> Environment Definition "SoHo": 
> Approx 10-15 machines in total, with less then 10 active at any given
time. A very large home Office.
> 
> 
> My personal Setup and reason for asking for this Feature: 
> I have used IPcop over the years and have my Network set up to ist
interaces, including Grey. I made the Switch to ipfire due to ipcops end of
life. My Basement is Setup on a Grey Segment, i have the ports connected to
a Switch and that Switch is connected to the Firewall. there i set up new
machines when i Need to do so, reinstall or try to help friends and
neighbours with machiens of unknown protection Level and smimilar. I find
this Feature to be very Handy indeed. And since an ipcop add on
exists/existed - i had the high hopes it would be possible to Transfer the
functionally into ipfire. 
> 
> 
> For a larger Company Network i understand the risk of creating a Singe
Point of failure, but want to put forth that most likely a backup Hardware
solution will be hept  at the ready. In my SoHo Environment that would be
less of an issue, while it would certainly suck and blow at the  same time,
it would be managable. 
> 
> I would apprecaite it if you find the time to look into the matter  if a
gui based Feature similar to this use case can be included in ipfire. Even
with the Speed drawback (especially when compared to a single Switch with
vlans), the ease of use and implementation is worth the trade off. 

I will definitely not have time to take on this project. We are already
years behind with roadmaps of all kinds of projects and I have pledged at
the last developer summit to not take on anything else before at least a
good number of the open things are done.

But I can of course help out and advice.

Best,
-Michael

> 
> Thanks a lot in advance.
> 
> yours sincerely,
> 
> Klaus
> 
> 
> 
> ----- Original Message -----
> From: Michael Tremer [mailto:michael.tremer(a)ipfire.org]
> To: Klaus Gimm [mailto:teclis22(a)schatten-welt.de]
> Cc: development(a)lists.ipfire.org
> Subject: Re: Extra "Grey" interfaces on IpFire
> 
> 
>> Hi Klaus,
>> 
>> Thanks for your email.
>> 
>> First of all, I would like to point out that it might be a very bad 
>> idea to add too many interfaces to the firewall. It will make it a 
>> big single-point of failure and very often a switch can route traffic 
>> between networks much more efficiently. Firewalls are always slow.
>> 
>> However, you can just add more interfaces on the console and use them 
>> in the firewall by creating a subnet.
>> 
>> What would be your use-case for this?
>> 
>> -Michael
>> 
>>> On 24 Sep 2019, at 15:30, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
>>> 
>>> Dear Sir or Madam,
>>> 
>>> as a Long time ipcop user i had installed this add on for a Long 
>>> time and
>> it
>>> worked great for me: 
>>> 
>>> http://www.ban-solms.de/t/IPCop-xtiface.html
>>> 
>>> After the Switch to Ipfire as the follow-up Project to ipcop i do 
>>> miss it dearly.
>>> 
>>> 
>>> Is it possible to implement this functionality into IpFire? I am 
>>> unfortunatley not a developer so i cant adjust the package or redesign
it.
>> 
>>> 
>>> Is there a ticket somewhere to suggest Features for developement? 
>>> 
>>> Thanks a lot in advance.
>>> 
>>> Yours sincerely
>>> 
>>> Klaus
>> 
>> 
>> 

Re: Extra "Grey" interfaces on IpFire

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 7082 bytes --]

Hi,

> On 25 Sep 2019, at 23:27, KMG <teclis22(a)schatten-welt.de> wrote:
> 
> Hi there,
> 
>> Yes, but this list is English only. You also forgot to copy it.
> 
> Fixed now. Thanks for the hint. Never used mailing lists much :/
> 
>> Why - under any circumstances - would you connect a machine that has
> malware on it to a network?
> 
> Since the networks are entirely septerated due tot he firewall. I really
> just need the web access. A 2nd ISP contract is not an option unfortunately.

No my point rather is that you are protecting your own network but exposing other hosts on the internet to this threat.
> 
>> I will definitely not have time to take on this project. We are already
> years behind with roadmaps of all kinds of projects and I >have pledged at
> the last developer summit to not take on anything else before at least a
> good number of the open things are >done.
> 
> Wow. Wasnt aware of such a long to do list. You guys do great though.
> Considered it is all in addition to your day job. I cant even manage to
> maintain a gym membership . 

LOL

>> But I can of course help out and advice.
> 
> Thanks a lot for your assistance. I will start reading up on the subnets or
> maybe i can use vlans to  get the functionality going. 

Let’s build this. I think it makes sense...

> 
> Best regards
> 
> Klaus 
> 
> -----Ursprüngliche Nachricht-----
> Von: Michael Tremer <michael.tremer(a)ipfire.org> 
> Gesendet: Mittwoch, 25. September 2019 17:37
> An: Klaus Gimm <teclis22(a)schatten-welt.de>
> Cc: development <development(a)lists.ipfire.org>
> Betreff: Re: Extra "Grey" interfaces on IpFire
> 
> Hi,
> 
>> On 25 Sep 2019, at 16:12, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
>> 
>> Dear Michael,
>> 
>> thanks for getting back to me. 
>> Right now i am not sure if i saw you post in the german subsection of 
>> the ipfire Forum hence i stick to english :)
> 
> Yes, but this list is English only. You also forgot to copy it.
> 
>> My use case would look like this: 
>> 
>> I as a <SuperUser in a SOHO environment> want to <have the Option to 
>> add more physical Interfaces (suggested Name "Grey") to the Hardware of
> the ipfire and configure them via the GUI. I want them to be sperated by the
> rest of the Networks by Default as a safe area. I want the option to
> configure individually (read as: allow) all offered Services (like DHCP,
> DNS, Red Access, Port forwarding, etc.) to be accessible from devices in
> this new physical Network.>.
>> My intended use is <a safe Network area, to use as a Kind of test lab,
> wich has Internet Access, but is otherwise entirely seperated from green,
> blue and orange. There i can try out new Things, products and Setup
> machines/devices that maybe compromised by a Virus or malware. This works by
> plug and Play, as the Network ports in the area are connected to their own
> seperate Switch. The Switch has an uplink to the Grey Interface on the
> ipfire with in return provices red Access, dhcp, etc. >. 
> 
> Why - under any circumstances - would you connect a machine that has malware
> on it to a network?
> 
>> Role  Definition "SuperUser":
>> Not an full Administrator, but motivated home user. Curious, able to read
> up on a few wikis and how tos, but 95%windows user. No experince with Linux
> Systems or their adminstration. Maintains the other Networks on a
> rudimentary Level (file Server in green, mail Server in orange and the WDS
> infrastructure in blue). 
>> 
>> 
>> Environment Definition "SoHo": 
>> Approx 10-15 machines in total, with less then 10 active at any given
> time. A very large home Office.
>> 
>> 
>> My personal Setup and reason for asking for this Feature: 
>> I have used IPcop over the years and have my Network set up to ist
> interaces, including Grey. I made the Switch to ipfire due to ipcops end of
> life. My Basement is Setup on a Grey Segment, i have the ports connected to
> a Switch and that Switch is connected to the Firewall. there i set up new
> machines when i Need to do so, reinstall or try to help friends and
> neighbours with machiens of unknown protection Level and smimilar. I find
> this Feature to be very Handy indeed. And since an ipcop add on
> exists/existed - i had the high hopes it would be possible to Transfer the
> functionally into ipfire. 
>> 
>> 
>> For a larger Company Network i understand the risk of creating a Singe
> Point of failure, but want to put forth that most likely a backup Hardware
> solution will be hept  at the ready. In my SoHo Environment that would be
> less of an issue, while it would certainly suck and blow at the  same time,
> it would be managable. 
>> 
>> I would apprecaite it if you find the time to look into the matter  if a
> gui based Feature similar to this use case can be included in ipfire. Even
> with the Speed drawback (especially when compared to a single Switch with
> vlans), the ease of use and implementation is worth the trade off. 
> 
> I will definitely not have time to take on this project. We are already
> years behind with roadmaps of all kinds of projects and I have pledged at
> the last developer summit to not take on anything else before at least a
> good number of the open things are done.
> 
> But I can of course help out and advice.
> 
> Best,
> -Michael
> 
>> 
>> Thanks a lot in advance.
>> 
>> yours sincerely,
>> 
>> Klaus
>> 
>> 
>> 
>> ----- Original Message -----
>> From: Michael Tremer [mailto:michael.tremer(a)ipfire.org]
>> To: Klaus Gimm [mailto:teclis22(a)schatten-welt.de]
>> Cc: development(a)lists.ipfire.org
>> Subject: Re: Extra "Grey" interfaces on IpFire
>> 
>> 
>>> Hi Klaus,
>>> 
>>> Thanks for your email.
>>> 
>>> First of all, I would like to point out that it might be a very bad 
>>> idea to add too many interfaces to the firewall. It will make it a 
>>> big single-point of failure and very often a switch can route traffic 
>>> between networks much more efficiently. Firewalls are always slow.
>>> 
>>> However, you can just add more interfaces on the console and use them 
>>> in the firewall by creating a subnet.
>>> 
>>> What would be your use-case for this?
>>> 
>>> -Michael
>>> 
>>>> On 24 Sep 2019, at 15:30, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
>>>> 
>>>> Dear Sir or Madam,
>>>> 
>>>> as a Long time ipcop user i had installed this add on for a Long 
>>>> time and
>>> it
>>>> worked great for me: 
>>>> 
>>>> http://www.ban-solms.de/t/IPCop-xtiface.html
>>>> 
>>>> After the Switch to Ipfire as the follow-up Project to ipcop i do 
>>>> miss it dearly.
>>>> 
>>>> 
>>>> Is it possible to implement this functionality into IpFire? I am 
>>>> unfortunatley not a developer so i cant adjust the package or redesign
> it.
>>> 
>>>> 
>>>> Is there a ticket somewhere to suggest Features for developement? 
>>>> 
>>>> Thanks a lot in advance.
>>>> 
>>>> Yours sincerely
>>>> 
>>>> Klaus
>>> 
>>> 
>>> 
> 
> 
> 
>