FYI Secure Multi-homed Network Configuration

[L V Lammert]

I would like to configure the network multi-homed for security:

* Public IF for only VOIP traffic
* Local/private IF for phone network
* Local/private IF for admin access

Unfortunately, with so much of the PBIAF configuration automated, it is just about impossible to configure the system properly! For example, when logging in as root, the automatic update script runs (which DNW, but that may be related) and ends up at:

Incredible PBX 13-12.5 for Raspberry Pi 2​

Where ALL IPs are shown in the "Private IP: section, . .including the public! Can't find any clues in the Forums, .. how does one configure a multi-homed system? Any pointers would be greatly appreciated!

Thanks!

Lee

 

[jerrm]

The Status "Private IP" would be better named "Local IPs" and shows all local interfaces. The method used is pretty basic and may not display all configured interfaces. The fact the public interface's IP is listed doesn't really mean anything other than it is configured locally.

The "Public IP" is the address detected as communicating with the wild. It normally detects what is past a nat router, in this case it should be showing the public interface IP.

Otherwise things should "just work" if the networks are properly configured. The default IPBX firewall rules are not interface specific, they would need editing restricting services to the appropriate interfaces to gain any semblance of a security benefit from the multi-homed setup. Only you really know what needs to be available where.

If unfamiliar with iptables and routing, the multi-homed config could easily be (MUCH!) less secure than the standard config behind a firewall.

 

[L V Lammert]

Hi Jerr!

Thanks for the quick reply, .. I can grok that. The services I wish to restrict (ssh, http) can easily be bound to a specific IP (the internal one in this case), .. done. As you note, the iptables config doesn't have to be interface specific if services can be bound elsewhere.

Problem is, Jessie and PIAF seems to have a larger problem with a static network configuration - I can NOT get the interfaces to come up cleanly! With normal auto [eth0, eth1, eth2], a connected interface will pull a dhcp address, even though it is configured static.

I found some notes online about bringing up the IFs manually, so I put ifup etho, ifup eth1, ifup eth2 in rc.local and commented out the auto commands in /etc/network/interfaces, but that DNW either. The ONLY way I get the three interfaces to come up cleanly is MANUALLY entering ifup, ifdown, ifup after the system boots.

Is there anything in the PIAF systemd configuration that must be adjusted to allow the interfaces to come up cleanly without dhcp addresses?

TIA!!

Lee

 

[jerrm]

Are you doing it the "Raspbian Jessie" way with dhcpd.conf?

 

[L V Lammert]

Guess not - have seen nothing like that! Reference?

Thanks!

Lee

 

[jerrm]

http://bfy.tw/5ViW

 

[L V Lammert]

Geeze, .. what a bunch of C**P!!! Putting network configuration into dhcpd.conf is the stupidist thing I have ever seen! Moving system configuration data into a systemd .d directory is one thing as it sort of follows the new standards, but moving SYTEM configuration data to a non-systemd SERVICE CONFIGURATION file doesn't make anyf sense!

Oh well, .. idiots push out code, everyone else has to swallow it.

Thanks!

Lee

 

[henry]

It's Linux.
If you don't like something... look around, there is most likely a fork for that
https://devuan.org/

 

[L V Lammert]

Ahh, .. you might wish to read the post, .. I was NOT complaining about systemd, .. I was complaining about Jessie not adhering to systemd standards.

In any case, it's much simpler to learn the weird stuff than switch distros - *especaily* with Raspbian..

 

[L V Lammert]

Just in case anyone else has a similar problem [with Raspbian Jessie 8.1], .. even putting the static network configuration in /etc/dhcpcd.conf DNW!! There was NO way to get a static configuration working with dhcpcd5 installed, so I had to rip it out [dhcpcd5] entirely. Now everything works fine using /etc/network/interfaces as it should.

Hopefully in the future the developers will actually TEST normal network configurations before releasing such a drastic change. <sigh>