[AusNOG] Interfaces swapping between physical NIC - Sidewinder v6 to v7

Nathan Gardiner ngardiner at gmail.com
Mon Jan 18 13:56:48 EST 2010 

Hi Steven,

Unfortunately it's been long enough since I worked with FreeBSD that I
couldn't give you a precise answer, but in many recent Linux distributions,
it is possible to specify the MAC address of the physical interface you are
referring to within the configuration of each logical interface, eg. set the
MAC affinity of eth0 to 01:23:45.... in this case, if some kernel or
hardware change forces interface renumbering or reordering you can be sure
they won't change.

Might be worth researching whether the FreeBSD interface configuration (in
/etc/rc.conf) supports anything like this.


Nathan

On Mon, Jan 18, 2010 at 11:41 AM, <firewall-admin at hartfordgroup.com.au>wrote:

> Hi,
>
> We are in the process of upgrading our firewalls to Sidewinder V7, and
> after the initial upgrade we have found that the interfaces have swapped
> around physically. On 'Firewall1', the physical location of the interface
> was retained, however, the label of the interface was changed. On
> 'Firewall2', the configuration was kept consistent with the interface
> label, however, the physical location of the interface was changed to a
> different NIC and port.
>
> Below is a representation of what has happened, showing before the
> upgrade, and after:
>
> Firewall1
>
>    OUT INS
> V6  em0 em1 em2 em3     em7 em6 em5 em4
>    -----------------------------------
>    [ ] [ ] [ ] [ ]  |  [ ] [ ] [ ] [ ]
>    -----------------------------------
> V7  em4 em5 em6 em7     em3 em2 em1 em0
>    OUT INS
>
>
> Firewall2
>
>    OUT INS
> V6  em0 em1 em2 em3     em7 em6 em5 em4
>    -----------------------------------
>    [ ] [ ] [ ] [ ]  |  [ ] [ ] [ ] [ ]
>    -----------------------------------
> V7  em4 em5 em6 em7     em3 em2 em1 em0
>                                INS OUT
>
> OUT being outside interface, and INS being inside interface.
>
> As you can see, consistency was maintained between both firewalls with
> version 6, however, unfortunately this consistency was lost during the
> upgrade and we are struggling to restore it. As part of our policy and
> procedures, it is imperitive that we maintain consistency across the board,
> eg named the lowest interface (for instance, outside on em0 - with em4
> being unacceptable). We attempted to use the 'cf interface swap' command
> using macaddr to limited success, whilst the actual interface configuration
> swaps, the interface label does not.
>
> I lodged a job with Secure Computing/Mcafee about this, and as suspected
> it is due to a change in the underlying OS between 6.1.2 and 7.0.1 (change
> from BSDi to FreeBSD). They suggested that moving the interfaces,
> physically (eg, putting it back to the V6 configuration, em0 being on the
> left NIC, left port) is impossible, but we can do a feature modification
> request to the developers there, no idea how long that would take.
>
> Does anyone know how I can avoid this happening in the future, or provide
> a work around solution?
>
> Any assistance greatly appreciated.
>
> Steven
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100118/081d6fb0/attachment.html>

More information about the AusNOG mailing list