From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Extra "Grey" interfaces on IpFire
Date: Wed, 25 Sep 2019 16:37:07 +0100
Message-ID: <D3F991BD-161A-4C8D-B2C1-2B8A585CAFEA@ipfire.org>
In-Reply-To: <20190925171214.9f9f70d0@Orange-Server>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5247745692924778099=="
List-Id: <development.lists.ipfire.org>

--===============5247745692924778099==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

> On 25 Sep 2019, at 16:12, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
>=20
> Dear Michael,
>=20
> thanks for getting back to me.=20
> Right now i am not sure if i saw you post in the german subsection of the i=
pfire Forum hence i stick to english :)=20

Yes, but this list is English only. You also forgot to copy it.

> My use case would look like this:=20
>=20
> I as a <SuperUser in a SOHO environment>
> want to <have the Option to add more physical Interfaces (suggested Name "G=
rey") to the Hardware of the ipfire and configure them via the GUI. I want th=
em to be sperated by the rest of the Networks by Default as a safe area. I wa=
nt the option to configure individually (read as: allow) all offered Services=
 (like DHCP, DNS, Red Access, Port forwarding, etc.) to be accessible from de=
vices in this new physical Network.>.=20
> My intended use is <a safe Network area, to use as a Kind of test lab, wich=
 has Internet Access, but is otherwise entirely seperated from green, blue an=
d orange. There i can try out new Things, products and Setup machines/devices=
 that maybe compromised by a Virus or malware. This works by plug and Play, a=
s the Network ports in the area are connected to their own seperate Switch. T=
he Switch has an uplink to the Grey Interface on the ipfire with in return pr=
ovices red Access, dhcp, etc. >.=20

Why - under any circumstances - would you connect a machine that has malware =
on it to a network?

> Role  Definition "SuperUser":
> Not an full Administrator, but motivated home user. Curious, able to read u=
p on a few wikis and how tos, but 95%windows user. No experince with Linux Sy=
stems or their adminstration. Maintains the other Networks on a rudimentary L=
evel (file Server in green, mail Server in orange and the WDS infrastructure =
in blue).=20
>=20
>=20
> Environment Definition "SoHo":=20
> Approx 10-15 machines in total, with less then 10 active at any given time.=
 A very large home Office.
>=20
>=20
> My personal Setup and reason for asking for this Feature:=20
> I have used IPcop over the years and have my Network set up to ist interace=
s, including Grey. I made the Switch to ipfire due to ipcops end of life. My =
Basement is Setup on a Grey Segment, i have the ports connected to a Switch a=
nd that Switch is connected to the Firewall. there i set up new machines when=
 i Need to do so, reinstall or try to help friends and neighbours with machie=
ns of unknown protection Level and smimilar. I find this Feature to be very H=
andy indeed. And since an ipcop add on exists/existed - i had the high hopes =
it would be possible to Transfer the functionally into ipfire.=20
>=20
>=20
> For a larger Company Network i understand the risk of creating a Singe Poin=
t of failure, but want to put forth that most likely a backup Hardware soluti=
on will be hept  at the ready. In my SoHo Environment that would be less of a=
n issue, while it would certainly suck and blow at the  same time, it would b=
e managable.=20
>=20
> I would apprecaite it if you find the time to look into the matter  if a gu=
i based Feature similar to this use case can be included in ipfire. Even with=
 the Speed drawback (especially when compared to a single Switch with vlans),=
 the ease of use and implementation is worth the trade off.=20

I will definitely not have time to take on this project. We are already years=
 behind with roadmaps of all kinds of projects and I have pledged at the last=
 developer summit to not take on anything else before at least a good number =
of the open things are done.

But I can of course help out and advice.

Best,
-Michael

>=20
> Thanks a lot in advance.
>=20
> yours sincerely,
>=20
> Klaus=20
>=20
>=20
>=20
> ----- Original Message -----
> From: Michael Tremer [mailto:michael.tremer(a)ipfire.org]
> To: Klaus Gimm [mailto:teclis22(a)schatten-welt.de]
> Cc: development(a)lists.ipfire.org
> Subject: Re: Extra "Grey" interfaces on IpFire
>=20
>=20
>> Hi Klaus,
>>=20
>> Thanks for your email.
>>=20
>> First of all, I would like to point out that it might be a very bad idea to
>> add too many interfaces to the firewall. It will make it a big single-point
>> of failure and very often a switch can route traffic between networks much
>> more efficiently. Firewalls are always slow.
>>=20
>> However, you can just add more interfaces on the console and use them in t=
he
>> firewall by creating a subnet.
>>=20
>> What would be your use-case for this?
>>=20
>> -Michael
>>=20
>>> On 24 Sep 2019, at 15:30, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
>>>=20
>>> Dear Sir or Madam,
>>>=20
>>> as a Long time ipcop user i had installed this add on for a Long time and
>> it
>>> worked great for me:=20
>>>=20
>>> http://www.ban-solms.de/t/IPCop-xtiface.html
>>>=20
>>> After the Switch to Ipfire as the follow-up Project to ipcop i do miss it
>>> dearly.=20
>>>=20
>>>=20
>>> Is it possible to implement this functionality into IpFire? I am
>>> unfortunatley not a developer so i cant adjust the package or redesign it.
>>=20
>>>=20
>>> Is there a ticket somewhere to suggest Features for developement?=20
>>>=20
>>> Thanks a lot in advance.
>>>=20
>>> Yours sincerely
>>>=20
>>> Klaus=20
>>=20
>>=20
>>=20


--===============5247745692924778099==--