vlans in a firewall
I have recently begun using 802.1q vlan's and channel bonding with my cisco
switches and debian application servers to provide redundancy and bandwitdh
aggregation across several internet connections with no bgp. Where I used to
have 2 or 3 ethernet interfaces on different networks for each server, now I
have one bonded interface and 3 or more vlan network interfaces for each
server.
I'd like to do the same thing with a firewall, but I don't really understand
the security implications. All of the ports on all of these switches are
configured right now to be on one vlan or another, except for the vlan+bonded
debian servers which are in trunk mode. Those have ip's configured only on
the bonded vlan interfaces like bond0.433, but I can still see traffic both
for eth0,eth1, etc, and for the bonded interface bond0.
My question is this: Can I treat say bond0.433 and bond0.434 as completely
seperate interfaces for iptables purposes? What I mean to say is, I know I
can do it, can I do it as safely as the old fashioned method of configuring
one port to be vlan 433 and one on 434, one internal, one external, or with
putting a firewall in-line with each internet connection?
It would make some new applications possible, like providing firewall service
for many internal vlan's from the same set of firewall hosts with different
ruleset's for each vlan, and the ruleset's are a little more mistake proof
because I can write them for each vlan interface instead of an ip range.
Also, it would make it very easy to quarantine a vlan as soon as snort
detects outgoing worms from a host in it. That way they can't do anything
but infect each other until the problem gets fixed. Many of our customers
for some reason use a very virus-prone operating system which will inevitably
become infected with one exploit or another and begin attacking the rest of
the internet through my gateways....
thanks for your advice,
--John
Reply to: