[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

vlans in a firewall

I have recently begun using 802.1q vlan's and channel bonding with my cisco 
switches and debian application servers to provide redundancy and bandwitdh 
aggregation across several internet connections with no bgp.  Where I used to 
have 2 or 3 ethernet interfaces on different networks for each server, now I 
have one bonded interface and 3 or more vlan network interfaces for each 

I'd like to do the same thing with a firewall, but I don't really understand 
the security implications.  All of the ports on all of these switches are 
configured right now to be on one vlan or another, except for the vlan+bonded 
debian servers which are in trunk mode.  Those have ip's configured only on 
the bonded vlan interfaces like bond0.433, but I can still see traffic both 
for eth0,eth1, etc, and for the bonded interface bond0.

My question is this:  Can I treat say bond0.433 and bond0.434 as completely 
seperate interfaces for iptables purposes?  What I mean to say is, I know I 
can do it, can I do it as safely as the old fashioned method of configuring 
one port to be vlan 433 and one on 434, one internal, one external, or with  
putting a firewall in-line with each internet connection?

It would make some new applications possible, like providing firewall service 
for many internal vlan's from the same set of firewall hosts with different 
ruleset's for each vlan, and the ruleset's are a little more mistake proof 
because I can write them for each vlan interface instead of an ip range.   

Also, it would make it very easy to quarantine a vlan as soon as snort 
detects outgoing worms from a host in it.  That way they can't do anything 
but infect each other until the problem gets fixed.  Many of our customers 
for some reason use a very virus-prone operating system which will inevitably 
become infected with one exploit or another and begin attacking the rest of 
the internet through my gateways....

thanks for your advice,

Reply to: