breaking chain logo
Free
Computer
Shop
Most of these pages contain my answers to questions, but I do not know the answer to this one. Sorry. (I mean: Help!)

What strange behavior does Debian exhibit with two ethernet cards?

To serve as a firewall/gateway, I have an old computer with old software and two ethernet cards, one (Green) plugged into the local network and the other (Red) plugged into a DSL modem. I have set up iptables and NAT (Network Address Translation) to forward (some) packets between the LAN and the Internet.

In case that breaks, I put together a backup computer with two ethernet cards and installed Debian. 

@fcs21:# uname -a
Linux fcs21 4.9.0-11-686-pae #1 SMP Debian 4.9.189-3+deb9u1 (2019-09-20) i686 GNU/Linux
I am trying to set it up and test it as an ordinary computer on my network, with a script to run which converts it to a firewall. Then if the old computer breaks, I can move the Red cable from the old to the new computer, run the script, and be back on the net.

The Green interface is on the motherboard and is called enp63s0. I plugged an ethernet cable into it, booted up, and logged in with ssh fcs21. (fcs21 = 192.168.1.120)

The Red interface is a Realtek in a PCI slot and is called enp5s9. It has no cable plugged into it. In the interfaces file it is given address 192.168.1.150, but it is not brought up automatically.

If I ping 192.168.1.150 from some other computer, I get 100% packet loss, as expected.
If I do ifup enp5s9, to bring up the interface that is not even plugged in, now the same ping works with 0% packet loss!

Is this expected? Is it not a serious flaw if packets from the internet that come in on the Red interface can not be distinguished from packets from the Local Area Network the come in on the Green interface? What should I do? Here is the contents of /etc/network/interfaces. 

@fcs21:/etc/network# cat interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug enp63s0
iface enp63s0 inet static
address 192.168.1.120/24
gateway 192.168.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.1.1
dns-search keithdiane.us

iface  enp5s9 inet static
        address 192.168.1.150/24
I sent my question to the local Worcester Linux Users' Group and got the following suggestion:

Thanks WLUG member!

You have two NICs configured in the same subnet. If you intend to make two subnets for the Green and Red NICs, make sure the subnet addresses don't overlap. If you want them to be in the same subnet (why?) then the behavior you see is normal for Weak Host Model systems: https://en.wikipedia.org/wiki/Host_model

You can reconfigure your system for Strong Host Model and/or use multiple routing tables and source rules to control which NIC is used for which traffic: https://access.redhat.com/solutions/30564

My Next Plan

Well, I don't know how to reconfigure my system for Strong Host Model. "Strong" and "Weak" seem to be ways to write the operating system, not ways to configure it. In other words: they all do that.

I don't want to be messing up other, working, computers to try to make a second network. It will suffice if I can configure iptables to drop any packet that comes in through the Red interface addressed to 192.168.0.0/16, so I am thinking about how to write that and test it.

I just hope it's not hopeless.

update 2019-11-25(Mon) — I take that (half) back. I can imagine an operating system in which the Strong/Weak choice is an easily configurable option. I don't know if Debian is such a system, I don't in any case know how to do it, and I don't want to. I will try to use iptables to filter packets and test it by moving cables around.

It will be hopeless if I find out that the interface information is lost before the iptables filtering is applied. I am still blissfully ignorant of that possible fact.

Read the (bottom of the) home page (FCS main page) for information on how to contact me.

Valid HTML 4.0 Transitional
(checked 2019-11-22)

This page best when viewed through the bottom of a beer mug...
but any browser should work, so if it looks wrong to you, let me know. I'll try to fix it, not blame it on your software.

Beer Meg Picture