Add an IP alias to ethernet interface
bryan at kadzban.is-a-geek.net
Wed Jun 6 20:00:16 PDT 2007
this list whose address isn't resolving again. It seems like it's
taking these messages about a half hour to get delivered. The message
I'm replying to was sent at 21:42 EDT, but wasn't delivered to my mail
server until 22:04 EDT. Might be worth double-checking out what's going
on with postfix.)
Deskin Miller wrote:
> Alias interfaces let you run multiple independent copies of the same=20
> network server from the same NIC, and have them be addressed=20
> differently, have truly different DNS entries, and all use standard=20
> port numbers.
OK, but why does that require a different interface name? ;-) You
should be able to do all of that by just adding a second IP to the same
interface, without creating an alias. Aliases were required when using
net-tools, but they shouldn't be required anymore.
I am fairly sure that Apache (for instance) can run multiple copies of
itself, each with a different Listen directive pointing at a different
IP. AFAIK it does not require different interface names.
(I think this is because the only way to bind to a specific interface by
name is to use a non-portable ioctl. I'm not positive on that though.
I do know that bind(2) can choose which NIC it listens on based on the
IP address in the sockaddr_in structure that the server program passes
to it, and that *is* portable.)
> I imagine they're a huge win for low-end Web hosting companies, who
> might put several Web servers/VMs
Oh, I think I see where you're coming from; OK. VMs probably do require
different interface names on the host, yes.
But note that this ISP is not getting nearly as much separation as they
may think between the VMs: an attacker can take down all their VMs just
by changing which IP he targets, for instance. (Assuming there's some
DoS available against each of them. The same logic applies to taking
over each of the VMs, too, if the attacker has an exploit.) Maybe
that's not an issue for these small hosts, though. If the second IP
won't handle traffic that has to be separated for security reasons, then
it may be OK.
> They're wonderfully useful for firewall rules, <...> QOS <...>
I'm not sure how "-i eth0:4" is any different from "-d <IP for alias 4>"
when someone can flip their traffic over to eth0:4 just by changing its
destination IP. 802.1q VLANs, IMO, are a better way to separate your
traffic, if your switches properly support that protocol. Firewall rules
won't be any more *secure* if they use the alias, basically. (There may
be other advantages though.)
OTOH, if we're talking low-end hosting, there probably won't be any
security reason for using an alias anyway. Hmm.
Well, whatever. If it won't be too hard to maintain, then I suppose
creating the alias is fine. :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 252 bytes
Desc: OpenPGP digital signature
More information about the lfs-dev