From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Extra "Grey" interfaces on IpFire Date: Tue, 01 Oct 2019 14:03:47 +0100 Message-ID: In-Reply-To: <002601d573f0$5dfa07b0$19ee1710$@schatten-welt.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7398589103759431513==" List-Id: --===============7398589103759431513== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 25 Sep 2019, at 23:27, KMG wrote: >=20 > Hi there, >=20 >> Yes, but this list is English only. You also forgot to copy it. >=20 > Fixed now. Thanks for the hint. Never used mailing lists much :/ >=20 >> Why - under any circumstances - would you connect a machine that has > malware on it to a network? >=20 > Since the networks are entirely septerated due tot he firewall. I really > just need the web access. A 2nd ISP contract is not an option unfortunately. No my point rather is that you are protecting your own network but exposing o= ther hosts on the internet to this threat. >=20 >> I will definitely not have time to take on this project. We are already > years behind with roadmaps of all kinds of projects and I >have pledged at > the last developer summit to not take on anything else before at least a > good number of the open things are >done. >=20 > Wow. Wasnt aware of such a long to do list. You guys do great though. > Considered it is all in addition to your day job. I cant even manage to > maintain a gym membership .=20 LOL >> But I can of course help out and advice. >=20 > Thanks a lot for your assistance. I will start reading up on the subnets or > maybe i can use vlans to get the functionality going.=20 Let=E2=80=99s build this. I think it makes sense... >=20 > Best regards >=20 > Klaus=20 >=20 > -----Urspr=C3=BCngliche Nachricht----- > Von: Michael Tremer =20 > Gesendet: Mittwoch, 25. September 2019 17:37 > An: Klaus Gimm > Cc: development > Betreff: Re: Extra "Grey" interfaces on IpFire >=20 > Hi, >=20 >> On 25 Sep 2019, at 16:12, Klaus Gimm wrote: >>=20 >> Dear Michael, >>=20 >> thanks for getting back to me.=20 >> Right now i am not sure if i saw you post in the german subsection of=20 >> the ipfire Forum hence i stick to english :) >=20 > Yes, but this list is English only. You also forgot to copy it. >=20 >> My use case would look like this:=20 >>=20 >> I as a want to > add more physical Interfaces (suggested Name "Grey") to the Hardware of > the ipfire and configure them via the GUI. I want them to be sperated by the > rest of the Networks by Default as a safe area. I want the option to > configure individually (read as: allow) all offered Services (like DHCP, > DNS, Red Access, Port forwarding, etc.) to be accessible from devices in > this new physical Network.>. >> My intended use is wich has Internet Access, but is otherwise entirely seperated from green, > blue and orange. There i can try out new Things, products and Setup > machines/devices that maybe compromised by a Virus or malware. This works by > plug and Play, as the Network ports in the area are connected to their own > seperate Switch. The Switch has an uplink to the Grey Interface on the > ipfire with in return provices red Access, dhcp, etc. >.=20 >=20 > Why - under any circumstances - would you connect a machine that has malware > on it to a network? >=20 >> Role Definition "SuperUser": >> Not an full Administrator, but motivated home user. Curious, able to read > up on a few wikis and how tos, but 95%windows user. No experince with Linux > Systems or their adminstration. Maintains the other Networks on a > rudimentary Level (file Server in green, mail Server in orange and the WDS > infrastructure in blue).=20 >>=20 >>=20 >> Environment Definition "SoHo":=20 >> Approx 10-15 machines in total, with less then 10 active at any given > time. A very large home Office. >>=20 >>=20 >> My personal Setup and reason for asking for this Feature:=20 >> I have used IPcop over the years and have my Network set up to ist > interaces, including Grey. I made the Switch to ipfire due to ipcops end of > life. My Basement is Setup on a Grey Segment, i have the ports connected to > a Switch and that Switch is connected to the Firewall. there i set up new > machines when i Need to do so, reinstall or try to help friends and > neighbours with machiens of unknown protection Level and smimilar. I find > this Feature to be very Handy indeed. And since an ipcop add on > exists/existed - i had the high hopes it would be possible to Transfer the > functionally into ipfire.=20 >>=20 >>=20 >> For a larger Company Network i understand the risk of creating a Singe > Point of failure, but want to put forth that most likely a backup Hardware > solution will be hept at the ready. In my SoHo Environment that would be > less of an issue, while it would certainly suck and blow at the same time, > it would be managable.=20 >>=20 >> I would apprecaite it if you find the time to look into the matter if a > gui based Feature similar to this use case can be included in ipfire. Even > with the Speed drawback (especially when compared to a single Switch with > vlans), the ease of use and implementation is worth the trade off.=20 >=20 > I will definitely not have time to take on this project. We are already > years behind with roadmaps of all kinds of projects and I have pledged at > the last developer summit to not take on anything else before at least a > good number of the open things are done. >=20 > But I can of course help out and advice. >=20 > Best, > -Michael >=20 >>=20 >> Thanks a lot in advance. >>=20 >> yours sincerely, >>=20 >> Klaus >>=20 >>=20 >>=20 >> ----- Original Message ----- >> From: Michael Tremer [mailto:michael.tremer(a)ipfire.org] >> To: Klaus Gimm [mailto:teclis22(a)schatten-welt.de] >> Cc: development(a)lists.ipfire.org >> Subject: Re: Extra "Grey" interfaces on IpFire >>=20 >>=20 >>> Hi Klaus, >>>=20 >>> Thanks for your email. >>>=20 >>> First of all, I would like to point out that it might be a very bad=20 >>> idea to add too many interfaces to the firewall. It will make it a=20 >>> big single-point of failure and very often a switch can route traffic=20 >>> between networks much more efficiently. Firewalls are always slow. >>>=20 >>> However, you can just add more interfaces on the console and use them=20 >>> in the firewall by creating a subnet. >>>=20 >>> What would be your use-case for this? >>>=20 >>> -Michael >>>=20 >>>> On 24 Sep 2019, at 15:30, Klaus Gimm wrote: >>>>=20 >>>> Dear Sir or Madam, >>>>=20 >>>> as a Long time ipcop user i had installed this add on for a Long=20 >>>> time and >>> it >>>> worked great for me:=20 >>>>=20 >>>> http://www.ban-solms.de/t/IPCop-xtiface.html >>>>=20 >>>> After the Switch to Ipfire as the follow-up Project to ipcop i do=20 >>>> miss it dearly. >>>>=20 >>>>=20 >>>> Is it possible to implement this functionality into IpFire? I am=20 >>>> unfortunatley not a developer so i cant adjust the package or redesign > it. >>>=20 >>>>=20 >>>> Is there a ticket somewhere to suggest Features for developement?=20 >>>>=20 >>>> Thanks a lot in advance. >>>>=20 >>>> Yours sincerely >>>>=20 >>>> Klaus >>>=20 >>>=20 >>>=20 >=20 >=20 >=20 >=20 --===============7398589103759431513==--