| Author |
Message |
robnagler
Joined: 25 Aug 2011
Posts: 3
|
| Posted: Thu Aug 25, 2011 11:59 am Post subject: Truly private backnet? |
|
|
I was wondering if there is way to get a truly private backnet. The private IPs that get assigned to our linodes are not bunched together so that we could, say, treat 192.168.1.64/28, as a network in our server config. That way we could configure iptables to trust that network, and not have to list out each IP as trusted.
Is it possible to request a block of static, private IPs, and assign them to linodes as we see fit? Or, is this something that support could do?
Thanks,
Rob
[/b] |
|
| Back to top |
|
caker
Joined: 15 Apr 2003
Posts: 2907
Location: Galloway, NJ
|
| Posted: Thu Aug 25, 2011 12:04 pm Post subject: |
|
|
Private IPs get allocated luck-of-the-draw, so you won't be able to get a block of them reserved just for you.
You could do this with an IPv6 pool.
-Chris |
|
| Back to top |
|
Guspaz
Joined: 26 May 2009
Posts: 1150
Location: Montreal, QC
|
| Posted: Thu Aug 25, 2011 1:16 pm Post subject: |
|
|
| The existing private network provides the infrastructure; iptables rules and OpenVPN can do the rest. |
|
| Back to top |
|
vonskippy
Joined: 27 Dec 2009
Posts: 469
Location: Colorado, USA
|
| Posted: Thu Aug 25, 2011 2:00 pm Post subject: |
|
|
Is OpenVPN really necessary for the private network?
I thought I read somewhere here that Linode doesn't allow promiscuous mode on the interfaces.
So no packet sniffing means no need for the encryption overhead on the private network traffic - or no? |
|
| Back to top |
|
Guspaz
Joined: 26 May 2009
Posts: 1150
Location: Montreal, QC
|
| Posted: Thu Aug 25, 2011 2:05 pm Post subject: |
|
|
vonskippy wrote: Is OpenVPN really necessary for the private network?
I thought I read somewhere here that Linode doesn't allow promiscuous mode on the interfaces.
So no packet sniffing means no need for the encryption overhead on the private network traffic - or no?
I say we take off and nuke the entire site from orbit. It's the only way to be sure. |
|
| Back to top |
|
Azathoth
Joined: 07 Dec 2009
Posts: 263
|
| Posted: Fri Aug 26, 2011 1:15 am Post subject: |
|
|
Okay, I know this is an emotional moment for all of us. I know that. But let's not make snap judgments, please. This is clearly an important kind of servers we're dealing with and I don't think that you or I, or *anybody*, has the right to arbitrarily exterminate them.
Yeah... look, Rob, this is a multi-million dollar installation. Guspaz can't make that kind of decision. He's just a customer!
:mrgreen: |
|
| Back to top |
|
hoopycat
Joined: 30 Aug 2008
Posts: 1294
Location: Rochester, New York
|
| Posted: Fri Aug 26, 2011 7:05 am Post subject: |
|
|
I'm with Guspaz on this one, at least as far as IPv4 goes. This capability exists and works with IPv6 pool addresses, and has the same antispoofing/antisniffing protections as the IPv4 public and private networks (at least locally). One iptables rule and, zing, it's done.
Yes, software support may vary, but it's not like IPv6 is new at this point.
-rt (Well the nodes come in these places / and the nodes are all the same / you don't look at their addresses / and you don't resolve their hostnames / you don't think of them as servers / you don't think of them at all / you keep your mind on the money / keeping your filters on the wall) |
|
| Back to top |
|
robnagler
Joined: 25 Aug 2011
Posts: 3
|
| Posted: Fri Aug 26, 2011 6:10 pm Post subject: |
|
|
Thanks. I get it.
We gen all our net config so I decided to simply list out the ipv4 addresses in an include file. It's easy enough, and has the advantage of being very specific about which hosts are trusted. The software that generates the config does not support v6 at the moment, and I'm a rush to get this migration out the door. :)
Thanks for all the help!
Rob |
|
| Back to top |
|
| |
