Add option to add arp_filter to network interfaces, two networks on same switch

carsten · April 14, 2020, 5:37pm

Please add the possibility to add the arp_filter option to network interfaces to support the operation of the nethserver firewall with multiple network interaces on the same switch.

This can be very helpful for testing purposes and also for using nethserver as as a IDS/IPS and http-Proxy behind an internet router.

If the arp_filter is not active the internet connection gets very unstable, with the option, it works fine.

So I made a quick-patch:

vi /etc/e-smith/templates/etc/shorewall/interfaces/20nics

       if ($role eq 'green') {
            $OUT .= "loc\t".$i->key."\tdhcp,nosmurfs,routeback,arp_filter=1".$mac_option;
        } elsif ($role eq 'red') {
            $OUT.="net\t".$i->key."\tdhcp,nosmurfs,optional,arp_filter=1";

After that you see:
shell: sysctl net.ipv4.conf | grep arp_filter
output: net.ipv4.conf.ens161.arp_filter = 1

It would be really nice, if the possibility to set this option without changing scripts.

carsten · September 5, 2020, 9:33am

Bump. There should be a check box to have nethserver add the arp_filter option. It would make testing much easier and also use nethserver as a firewall behind another router, withouth having to separate the networks (which is not always possible). The logical separation is enough.

pike · September 5, 2020, 6:39pm

Even cheap switches (39 euros) support Vlan OOTB. 20 minutes for setting and testing should solve the issue.
IMVHO due to high risk to create unpredictable (and really wrong) configurations, this kind of option might not be even considered interesting.

carsten · September 6, 2020, 6:25am

No, it is not that easy

You need additional hardware and do additional cabling
It is not possible in some configurations. I have customers where I cannot change the switching infrastructure but still want to have nethserver as an outgoing filtering proxy and router in a VM. This VM has to have red and green interfaces in the same physical network (because it cannot be changed).
Also if you use a simple hardware or virtual nethserver behind another internet router to forward ports to some internal services with the extra protection of IPS and firewall, it is often not possible change the physial cabling to have everything behind nethserver.

I use this patch at several sites for months now without any problems.

pike · September 6, 2020, 4:00pm

I hope that the dev team will consider this user case interesting enough to implement what you’re asking for.
In any case, in VM environment maybe you can just arrange a little different cable and host setup to avoid the use of arp_filter.

giacomo · September 7, 2020, 12:22pm

The implementation it’s quite straight forward, the hard part will be describe the behavior and not confuse the users. Maybe we could add the prop but not exposing it in the UI?

What do you think @davidep @davide_marini @filippo_carletti?

carsten · September 7, 2020, 12:59pm

I don’t like hidden configuration options, because you start to compare things in different installation by the UI and are searching forever for a difference. It should definitely be in the UI.

The checkbox should be called “Enable ARP filter” and the description “Enable on interfaces connected to the same switch to prevent firewall malfunctions (not recommended, but useful for special configurations and testing). See https://shorewall.org/troubleshoot.htm”.

giacomo · September 7, 2020, 2:01pm

We need also a well written paragraph in the doc

carsten · September 7, 2020, 2:32pm

Here it is:

ARP Filter: It is strongly recommended to have each Nethserver interface on a separate switch so they cannot see each other. Given the way the Linux kernel responds to ARP “who-has” requests, having several interfaces on the same switch does not work by default. I you really need this type of configuration for testing or special cases where network cabling cannot be changed, you have to check this option for every interface being on the same switch as another interface of Nethserver. This option sets the “arp_filter=1” option for the interface. See also Shorewall Troubleshooting Guide for more information.

giacomo · September 7, 2020, 2:49pm

Excellent, thank you!
For me it’s good, even adding on the UI.

Let’s wait thoughts from the cited developers.

carsten · September 7, 2020, 2:57pm

Just too add an alternative even simpler implementation:
Instead of an option for each interface, it could be considered to have a global option, which adds arp_filter=1 to all interfaces. Maybe this is even simpler, as in most cases they are not that many interfaces, that you need to configure some with arp_filter=1 and some without (the extra option does no harm). My template also adds arp_filter=1 too all interfaces, so it is less likely to forget one.

carsten · October 5, 2020, 7:11pm

Bump.
What about implementing this feature?

giacomo · October 6, 2020, 6:44am

I agree with @pike that the best approach is to physically separate networks.

We discussed the feature internally and we also interviewed other people outside from this forum, but we didn’t receive any positive feedback on this feature request.
As you can see, even no other user here has a similar usage scenario.

In the end, we are not going to implement it. Still, we are open to contributions

My final suggestion is to use a template-custom:

Create the dir: mkdir -p /etc/e-smith/templates/etc/shorewall/interfaces/
Copy the original fragment: cp /etc/e-smith/templates/etc/shorewall/interfaces/20nics /etc/e-smith/templates-custom/etc/shorewall/interfaces/
Change /etc/e-smith/templates-custom/etc/shorewall/interfaces/20nics accordingly to your need
Apply the configuration: signal-event firewall-adjust

Your modification will survive to updates and will be even saved inside the backup