A universal truth

[yesthattom]

I don’t think it’s documented anywhere but it seems to be a universal truth that on commercial firewalls, VPN concentrators, and all network devices that “straddle a security border” (i.e. have 2 NICs one on the inside and one on the outside) they always assign Ethernet 0 for the outside connection and Ethernet 1 for the inside connection. As I said, I don’t think this is required by law or even documented in books like this one or that one but they all seem to do it. On home-brew firewalls I always did it because I always have only one outside connection any potentially many inside connections, so by putting the outside connection first, it lets me have sequentially numbered inside connections. However I recently realized that the answer is more likely to be due to the fact that it is easier to remember that Ethernet 0 is for “O”utside, and Ethernet 1 is for “1”nside.

Comments

[mcl.livejournal.com]

Interesting.

On the firewall we just deployed, the outside interafce is numbered 4 (out of 8). We didn't do it on purpose; at least, we didn't decide that we wanted the outside interface to be number 4. Rather, we decided that we wanted a particular physical port in a particular location on the back of the box to be the external interface, and we ended up using whatever OpenBSD decided to number the ports.

We didn't think we'd end up with 4, though, as the interface chosen was the first of two interfaces hardwired to the motherborad, with 6 more on 3 dual-port PCI-X cards. Somehow, we expected the OS to number the devices a bit less randomly.

Sure, we could recreate the device special files in the order we'd prefer, but instead I just made up a map of the back of the box, distributed it to the appropriate folks, taped a copy to the firewall, and put a copy into our documentation system. I'll probably redo the device files in a few months, when we upgrade the OS and bring a redundant firewall online.

[yesthattom.livejournal.com]

Yup, that's why I said "commercial firewalls". The firewall I made out of a FreeBSD box had similar issues.

Sentimental

[kathdem.livejournal.com]

*sniff*

This kind of talk always gets to me - you, you, romantic you.

:)

Re: Sentimental

[yesthattom.livejournal.com]

Give me your phone number and I'll talk nerdy to you all night long :-)

[kimuchi.livejournal.com]

Huh, now I'll have to see if our new product labels the outside as eth0 or not. Traditionally eth0 has been used as the management interface for ManHunt (it doesn't -have- to be, but that's always how we set it up in testing).

[docstrange.livejournal.com]

Woah... small world. Say hi to Ricky and Rod... Yeah, eth0 is often used as inside or management i/f on products built on general purpose OSes -- and for good reason. When the box first comes up, if it bombs hard, you may not have support for add-on i/fs. Also, you want the first one brought up to be in your control zone, and not on the Internet... so you can manually bring it up w/o drivers in single user mode, or just in case sec policies fail to take in a timely way due to some error or other. Defense in depth and all that.

[docstrange.livejournal.com]

Tom, I fear your savvy; I think you're right on the 0utside/1nside thing. Also with devices that rank interfaces for security, lower often means less trusted... but see my other note....

[sweh.livejournal.com]

I have read somewhere else (it might have been Firewall-1 documentation) about 0utside and 1nside, as a recommendation. Of course that didn't work in my deployment because we had 3 outside and 2 inside interfaces :-) Lines to other offices (eg the Dutch office) were considered "outside" since they were run by the relevant (eg Dutch) company and had their own internet connectivity and we didn't trust them, so they were outside our perimeter :-)

On my home machine, eth0 was my wired segment, eth1 the wireless segment and eth2 the internet. That just happened due to PCI card numbering order; eth2 was an older 10baseT card (DSL at 1.5Mbit/s meant that didn't matter!).