Hi,
On 25 Sep 2019, at 23:27, KMG teclis22@schatten-welt.de wrote:
Hi there,
Yes, but this list is English only. You also forgot to copy it.
Fixed now. Thanks for the hint. Never used mailing lists much :/
Why - under any circumstances - would you connect a machine that has
malware on it to a network?
Since the networks are entirely septerated due tot he firewall. I really just need the web access. A 2nd ISP contract is not an option unfortunately.
No my point rather is that you are protecting your own network but exposing other hosts on the internet to this threat.
I will definitely not have time to take on this project. We are already
years behind with roadmaps of all kinds of projects and I >have pledged at the last developer summit to not take on anything else before at least a good number of the open things are >done.
Wow. Wasnt aware of such a long to do list. You guys do great though. Considered it is all in addition to your day job. I cant even manage to maintain a gym membership .
LOL
But I can of course help out and advice.
Thanks a lot for your assistance. I will start reading up on the subnets or maybe i can use vlans to get the functionality going.
Let’s build this. I think it makes sense...
Best regards
Klaus
-----Ursprüngliche Nachricht----- Von: Michael Tremer michael.tremer@ipfire.org Gesendet: Mittwoch, 25. September 2019 17:37 An: Klaus Gimm teclis22@schatten-welt.de Cc: development development@lists.ipfire.org Betreff: Re: Extra "Grey" interfaces on IpFire
Hi,
On 25 Sep 2019, at 16:12, Klaus Gimm teclis22@schatten-welt.de wrote:
Dear Michael,
thanks for getting back to me. Right now i am not sure if i saw you post in the german subsection of the ipfire Forum hence i stick to english :)
Yes, but this list is English only. You also forgot to copy it.
My use case would look like this:
I as a <SuperUser in a SOHO environment> want to <have the Option to add more physical Interfaces (suggested Name "Grey") to the Hardware of
the ipfire and configure them via the GUI. I want them to be sperated by the rest of the Networks by Default as a safe area. I want the option to configure individually (read as: allow) all offered Services (like DHCP, DNS, Red Access, Port forwarding, etc.) to be accessible from devices in this new physical Network.>.
My intended use is <a safe Network area, to use as a Kind of test lab,
wich has Internet Access, but is otherwise entirely seperated from green, blue and orange. There i can try out new Things, products and Setup machines/devices that maybe compromised by a Virus or malware. This works by plug and Play, as the Network ports in the area are connected to their own seperate Switch. The Switch has an uplink to the Grey Interface on the ipfire with in return provices red Access, dhcp, etc. >.
Why - under any circumstances - would you connect a machine that has malware on it to a network?
Role Definition "SuperUser": Not an full Administrator, but motivated home user. Curious, able to read
up on a few wikis and how tos, but 95%windows user. No experince with Linux Systems or their adminstration. Maintains the other Networks on a rudimentary Level (file Server in green, mail Server in orange and the WDS infrastructure in blue).
Environment Definition "SoHo": Approx 10-15 machines in total, with less then 10 active at any given
time. A very large home Office.
My personal Setup and reason for asking for this Feature: I have used IPcop over the years and have my Network set up to ist
interaces, including Grey. I made the Switch to ipfire due to ipcops end of life. My Basement is Setup on a Grey Segment, i have the ports connected to a Switch and that Switch is connected to the Firewall. there i set up new machines when i Need to do so, reinstall or try to help friends and neighbours with machiens of unknown protection Level and smimilar. I find this Feature to be very Handy indeed. And since an ipcop add on exists/existed - i had the high hopes it would be possible to Transfer the functionally into ipfire.
For a larger Company Network i understand the risk of creating a Singe
Point of failure, but want to put forth that most likely a backup Hardware solution will be hept at the ready. In my SoHo Environment that would be less of an issue, while it would certainly suck and blow at the same time, it would be managable.
I would apprecaite it if you find the time to look into the matter if a
gui based Feature similar to this use case can be included in ipfire. Even with the Speed drawback (especially when compared to a single Switch with vlans), the ease of use and implementation is worth the trade off.
I will definitely not have time to take on this project. We are already years behind with roadmaps of all kinds of projects and I have pledged at the last developer summit to not take on anything else before at least a good number of the open things are done.
But I can of course help out and advice.
Best, -Michael
Thanks a lot in advance.
yours sincerely,
Klaus
----- Original Message ----- From: Michael Tremer [mailto:michael.tremer@ipfire.org] To: Klaus Gimm [mailto:teclis22@schatten-welt.de] Cc: development@lists.ipfire.org Subject: Re: Extra "Grey" interfaces on IpFire
Hi Klaus,
Thanks for your email.
First of all, I would like to point out that it might be a very bad idea to add too many interfaces to the firewall. It will make it a big single-point of failure and very often a switch can route traffic between networks much more efficiently. Firewalls are always slow.
However, you can just add more interfaces on the console and use them in the firewall by creating a subnet.
What would be your use-case for this?
-Michael
On 24 Sep 2019, at 15:30, Klaus Gimm teclis22@schatten-welt.de wrote:
Dear Sir or Madam,
as a Long time ipcop user i had installed this add on for a Long time and
it
worked great for me:
http://www.ban-solms.de/t/IPCop-xtiface.html
After the Switch to Ipfire as the follow-up Project to ipcop i do miss it dearly.
Is it possible to implement this functionality into IpFire? I am unfortunatley not a developer so i cant adjust the package or redesign
it.
Is there a ticket somewhere to suggest Features for developement?
Thanks a lot in advance.
Yours sincerely
Klaus