Re: Extra "Grey" interfaces on IpFire

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7082 bytes --]

Hi,

> On 25 Sep 2019, at 23:27, KMG <teclis22(a)schatten-welt.de> wrote:
> 
> Hi there,
> 
>> Yes, but this list is English only. You also forgot to copy it.
> 
> Fixed now. Thanks for the hint. Never used mailing lists much :/
> 
>> Why - under any circumstances - would you connect a machine that has
> malware on it to a network?
> 
> Since the networks are entirely septerated due tot he firewall. I really
> just need the web access. A 2nd ISP contract is not an option unfortunately.

No my point rather is that you are protecting your own network but exposing other hosts on the internet to this threat.
> 
>> I will definitely not have time to take on this project. We are already
> years behind with roadmaps of all kinds of projects and I >have pledged at
> the last developer summit to not take on anything else before at least a
> good number of the open things are >done.
> 
> Wow. Wasnt aware of such a long to do list. You guys do great though.
> Considered it is all in addition to your day job. I cant even manage to
> maintain a gym membership . 

LOL

>> But I can of course help out and advice.
> 
> Thanks a lot for your assistance. I will start reading up on the subnets or
> maybe i can use vlans to  get the functionality going. 

Let’s build this. I think it makes sense...

> 
> Best regards
> 
> Klaus 
> 
> -----Ursprüngliche Nachricht-----
> Von: Michael Tremer <michael.tremer(a)ipfire.org> 
> Gesendet: Mittwoch, 25. September 2019 17:37
> An: Klaus Gimm <teclis22(a)schatten-welt.de>
> Cc: development <development(a)lists.ipfire.org>
> Betreff: Re: Extra "Grey" interfaces on IpFire
> 
> Hi,
> 
>> On 25 Sep 2019, at 16:12, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
>> 
>> Dear Michael,
>> 
>> thanks for getting back to me. 
>> Right now i am not sure if i saw you post in the german subsection of 
>> the ipfire Forum hence i stick to english :)
> 
> Yes, but this list is English only. You also forgot to copy it.
> 
>> My use case would look like this: 
>> 
>> I as a <SuperUser in a SOHO environment> want to <have the Option to 
>> add more physical Interfaces (suggested Name "Grey") to the Hardware of
> the ipfire and configure them via the GUI. I want them to be sperated by the
> rest of the Networks by Default as a safe area. I want the option to
> configure individually (read as: allow) all offered Services (like DHCP,
> DNS, Red Access, Port forwarding, etc.) to be accessible from devices in
> this new physical Network.>.
>> My intended use is <a safe Network area, to use as a Kind of test lab,
> wich has Internet Access, but is otherwise entirely seperated from green,
> blue and orange. There i can try out new Things, products and Setup
> machines/devices that maybe compromised by a Virus or malware. This works by
> plug and Play, as the Network ports in the area are connected to their own
> seperate Switch. The Switch has an uplink to the Grey Interface on the
> ipfire with in return provices red Access, dhcp, etc. >. 
> 
> Why - under any circumstances - would you connect a machine that has malware
> on it to a network?
> 
>> Role  Definition "SuperUser":
>> Not an full Administrator, but motivated home user. Curious, able to read
> up on a few wikis and how tos, but 95%windows user. No experince with Linux
> Systems or their adminstration. Maintains the other Networks on a
> rudimentary Level (file Server in green, mail Server in orange and the WDS
> infrastructure in blue). 
>> 
>> 
>> Environment Definition "SoHo": 
>> Approx 10-15 machines in total, with less then 10 active at any given
> time. A very large home Office.
>> 
>> 
>> My personal Setup and reason for asking for this Feature: 
>> I have used IPcop over the years and have my Network set up to ist
> interaces, including Grey. I made the Switch to ipfire due to ipcops end of
> life. My Basement is Setup on a Grey Segment, i have the ports connected to
> a Switch and that Switch is connected to the Firewall. there i set up new
> machines when i Need to do so, reinstall or try to help friends and
> neighbours with machiens of unknown protection Level and smimilar. I find
> this Feature to be very Handy indeed. And since an ipcop add on
> exists/existed - i had the high hopes it would be possible to Transfer the
> functionally into ipfire. 
>> 
>> 
>> For a larger Company Network i understand the risk of creating a Singe
> Point of failure, but want to put forth that most likely a backup Hardware
> solution will be hept  at the ready. In my SoHo Environment that would be
> less of an issue, while it would certainly suck and blow at the  same time,
> it would be managable. 
>> 
>> I would apprecaite it if you find the time to look into the matter  if a
> gui based Feature similar to this use case can be included in ipfire. Even
> with the Speed drawback (especially when compared to a single Switch with
> vlans), the ease of use and implementation is worth the trade off. 
> 
> I will definitely not have time to take on this project. We are already
> years behind with roadmaps of all kinds of projects and I have pledged at
> the last developer summit to not take on anything else before at least a
> good number of the open things are done.
> 
> But I can of course help out and advice.
> 
> Best,
> -Michael
> 
>> 
>> Thanks a lot in advance.
>> 
>> yours sincerely,
>> 
>> Klaus
>> 
>> 
>> 
>> ----- Original Message -----
>> From: Michael Tremer [mailto:michael.tremer(a)ipfire.org]
>> To: Klaus Gimm [mailto:teclis22(a)schatten-welt.de]
>> Cc: development(a)lists.ipfire.org
>> Subject: Re: Extra "Grey" interfaces on IpFire
>> 
>> 
>>> Hi Klaus,
>>> 
>>> Thanks for your email.
>>> 
>>> First of all, I would like to point out that it might be a very bad 
>>> idea to add too many interfaces to the firewall. It will make it a 
>>> big single-point of failure and very often a switch can route traffic 
>>> between networks much more efficiently. Firewalls are always slow.
>>> 
>>> However, you can just add more interfaces on the console and use them 
>>> in the firewall by creating a subnet.
>>> 
>>> What would be your use-case for this?
>>> 
>>> -Michael
>>> 
>>>> On 24 Sep 2019, at 15:30, Klaus Gimm <teclis22(a)schatten-welt.de> wrote:
>>>> 
>>>> Dear Sir or Madam,
>>>> 
>>>> as a Long time ipcop user i had installed this add on for a Long 
>>>> time and
>>> it
>>>> worked great for me: 
>>>> 
>>>> http://www.ban-solms.de/t/IPCop-xtiface.html
>>>> 
>>>> After the Switch to Ipfire as the follow-up Project to ipcop i do 
>>>> miss it dearly.
>>>> 
>>>> 
>>>> Is it possible to implement this functionality into IpFire? I am 
>>>> unfortunatley not a developer so i cant adjust the package or redesign
> it.
>>> 
>>>> 
>>>> Is there a ticket somewhere to suggest Features for developement? 
>>>> 
>>>> Thanks a lot in advance.
>>>> 
>>>> Yours sincerely
>>>> 
>>>> Klaus
>>> 
>>> 
>>> 
> 
> 
> 
>