| Linode Forum https://forum.linode.com/ |
|
| Truly private backnet? https://forum.linode.com/viewtopic.php?f=19&t=7630 |
Page 1 of 1 |
| Author: | robnagler [ Thu Aug 25, 2011 12:59 pm ] |
| Post subject: | Truly private backnet? |
I was wondering if there is way to get a truly private backnet. The private IPs that get assigned to our linodes are not bunched together so that we could, say, treat 192.168.1.64/28, as a network in our server config. That way we could configure iptables to trust that network, and not have to list out each IP as trusted. Is it possible to request a block of static, private IPs, and assign them to linodes as we see fit? Or, is this something that support could do? Thanks, Rob [/b] |
|
| Author: | caker [ Thu Aug 25, 2011 1:04 pm ] |
| Post subject: | |
Private IPs get allocated luck-of-the-draw, so you won't be able to get a block of them reserved just for you. You could do this with an IPv6 pool. -Chris |
|
| Author: | Guspaz [ Thu Aug 25, 2011 2:16 pm ] |
| Post subject: | |
The existing private network provides the infrastructure; iptables rules and OpenVPN can do the rest. |
|
| Author: | vonskippy [ Thu Aug 25, 2011 3:00 pm ] |
| Post subject: | |
Is OpenVPN really necessary for the private network? I thought I read somewhere here that Linode doesn't allow promiscuous mode on the interfaces. So no packet sniffing means no need for the encryption overhead on the private network traffic - or no? |
|
| Author: | Guspaz [ Thu Aug 25, 2011 3:05 pm ] |
| Post subject: | |
vonskippy wrote: Is OpenVPN really necessary for the private network?
I thought I read somewhere here that Linode doesn't allow promiscuous mode on the interfaces. So no packet sniffing means no need for the encryption overhead on the private network traffic - or no? I say we take off and nuke the entire site from orbit. It's the only way to be sure. |
|
| Author: | Azathoth [ Fri Aug 26, 2011 2:15 am ] |
| Post subject: | |
Okay, I know this is an emotional moment for all of us. I know that. But let's not make snap judgments, please. This is clearly an important kind of servers we're dealing with and I don't think that you or I, or *anybody*, has the right to arbitrarily exterminate them. Yeah... look, Rob, this is a multi-million dollar installation. Guspaz can't make that kind of decision. He's just a customer! 
|
|
| Author: | hoopycat [ Fri Aug 26, 2011 8:05 am ] |
| Post subject: | |
I'm with Guspaz on this one, at least as far as IPv4 goes. This capability exists and works with IPv6 pool addresses, and has the same antispoofing/antisniffing protections as the IPv4 public and private networks (at least locally). One iptables rule and, zing, it's done. Yes, software support may vary, but it's not like IPv6 is new at this point. -rt (Well the nodes come in these places / and the nodes are all the same / you don't look at their addresses / and you don't resolve their hostnames / you don't think of them as servers / you don't think of them at all / you keep your mind on the money / keeping your filters on the wall) |
|
| Author: | robnagler [ Fri Aug 26, 2011 7:10 pm ] |
| Post subject: | |
Thanks. I get it. We gen all our net config so I decided to simply list out the ipv4 addresses in an include file. It's easy enough, and has the advantage of being very specific about which hosts are trusted. The software that generates the config does not support v6 at the moment, and I'm a rush to get this migration out the door. 
Thanks for all the help! Rob |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|