Gentoo Archives: gentoo-user

From: Michael Orlitzky <michael@××××××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] ebtables on Gentoo?
Date: Tue, 29 Jan 2013 18:25:01
In Reply to: [gentoo-user] ebtables on Gentoo? by James
1 On 01/29/2013 09:45 AM, James wrote:
2 > Hello,
3 >
4 > From here:
5 >
6 >
7 > We read:
8 > The ebtables tool can be combined with the other Linux filtering tools
9 > (iptables, ip6tables and arptables) to make a bridging firewall that is also
10 > capable of filtering these higher network layers. This is enabled through the
11 > bridge-netfilter architecture which is a part of the standard Linux kernel.
12 >
13 >
14 > Can someone explain to me when/how you would use ebtables
15 > for enhanced security, or forward me to a good written
16 > presentation on when, why or how to deploy ebtables?
17 > Maybe a package already blends these components together?
18 > I recently saw ebtables pop up in a commercial product
19 > ( sniffed terminal boot session) offered by Seimens......
20 >
22 tl;dr ebtables makes it easy to isolate your interfaces in an unsafe
23 environment.
25 This was over a year ago, and the project fell through, so this is just
26 from memory:
28 We were planning on hosting a very insecure electronic health thingy
29 that "needs to run on a server" (if you want support). The doctors who
30 use it don't have the expertise to maintain it, and the people who sell
31 it didn't have the expertise to do much of anything in my opinion.
33 Since it was "just" a java web application, the servers didn't need to
34 be powerful. But for HIPAA (and my own peace of mind) we wanted the
35 servers to be as isolated as possible. We decided on using KVM virtual
36 machines, each bridged through to its own public IP address on the host.
38 For preventing *external* traffic, iptables is fine. We obviously don't
39 want the RDP ports open to the world, for example. But how do we prevent
40 one VM instance from communicating with another? One doctor's office
41 shouldn't be able to connect to another office's server. If Dr. Foo
42 notices that he can crash his application by entering nonsense into the
43 login form, then he might suppose that he could crash Dr. Bar's
44 application by doing the same thing.
46 So anyway, my memory of this is all very wishy-washy, but ebtables
47 turned out to be the best way to implement those inter-VM restrictions.
48 It could probably have been done in iptables, but ebtables made it easy
49 to say "don't let these two talk."


Subject Author
Re: [gentoo-user] ebtables on Gentoo? Kevin Chadwick <ma1l1ists@××××××××.uk>