# /etc/conf.d/net - how not to bring up devices in promisc?

## dman777

/etc/conf.d/net config_tap0 and config_eth0 brings up my devices in promiscouse mode. What is the config option to stop this?

----------

## Hu

What is the output of /sbin/ip link ; cat -n /etc/conf.d/net?

----------

## dman777

localhost three # cat hate

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000

    link/ether 00:xx:1e:xx:xx:xx brd xf:xf:ff:ff:ff:ff

3: tap0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 500

    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 

    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

     1	# This blank configuration will automatically use DHCP for any net.*

     2	# scripts in /etc/init.d.  To create a more complete configuration,

     3	# please review /etc/conf.d/net.example and save your configuration

     4	# in /etc/conf.d/net (this file :]!).

     5	#config_eth0=( "192.168.x.x/24" )

     6	#routes_eth0=( "default via 192.168.x.x") 

     7	

     8	

     9	

    10	rc_need_br0="net.eth0 net.tap0"

    11	rc_net_lo_provide="!net"

    12	rc_net_tap0_provide="!net"

    13	rc_net_eth0_provide="!net"

    14	

    15	config_eth0=( "null" )

    16	tunctl_tap0=( "-u kvmuser" )

    17	config_tap0=( "null" )

    18	tuntap_tap0=( "tap" )

    19	mac_tap0=( "xxxxxxxxxxxx" )

    20	

    21	bridge_br0=( "eth0 tap0" )

    22	config_br0=( "192.168.xx.xx/24" )

    23	routes_br0=( "default via 192.168.xx.xx" )

    24	

    25	

    26	

    27	

I x'out out the mac address and ipaddresses...I hope you don't mind. I always feel funny posting that kind of stuff in public.

----------

## krinn

You must use promiscuous mode to bridge the devices, this should answer howto stop it, but i doubt you will do that  :Smile: 

And there's no point in hidding 192.168.* ip class, they are just private network ip, no big deal gaving that info, you might not gave your internet IP for security of course, but private network ip is useless.

Anyone receiving a packet from you will also get your mac address, and you can easy change it too, also not a real issue.

Just to save you from xxxxxx a lot next time.

----------

## dman777

 *krinn wrote:*   

> You must use promiscuous mode to bridge the devices...
> 
> 

 

I used to think this also, but it is not so. When I bring up the network manually...

```

brctl addbr br0

tunctl -u user -t tap0

ifconfig eth0 up

ifconfig tap0 up

brctl addif br0 eth0

brctl addif br0 tap0

ifconfig br0 192.168.xx.xx netmask 255.255.255.0 up

route add default gw 192.168.xx.xx

localhost three # 
```

The devices do not come up in promisc mode...

```
localhost three # ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000

    link/ether xxxx

3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 

    link/ether xxx

4: tap0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 500

    link/ether xxxx

localhost three # 

```

Plus, if I remember correctly....when asking on the #netfilter they stated that since the linux bridge works on level 2 the devices do not need to be in promisc mode. 

The bridge I use in this current non promisc mode works fine and my kvm guests on it have no problem communicating. 

Is there some way to defeat the promisc mode when bringing it up through openrc?

----------

## Hu

 *krinn wrote:*   

> Anyone receiving a packet from you will also get your mac address, and you can easy change it too, also not a real issue.

 This is true only in a very strict sense, which I doubt most people would catch.  The MAC address is placed in the packet sent on the wire, but the first gateway to forward the packet will send out with the MAC address of the gateway.  Therefore, the party to which you sent the packet (the gateway) gets your MAC address, but any machine farther away, such as almost all public sites, will not receive your MAC address.

----------

## dman777

 *Hu wrote:*   

>  *krinn wrote:*   Anyone receiving a packet from you will also get your mac address, and you can easy change it too, also not a real issue. This is true only in a very strict sense, which I doubt most people would catch.  The MAC address is placed in the packet sent on the wire, but the first gateway to forward the packet will send out with the MAC address of the gateway.  Therefore, the party to which you sent the packet (the gateway) gets your MAC address, but any machine farther away, such as almost all public sites, will not receive your MAC address.

 

if i may ask please, what is your opinion about the devices not being in promisc. mode when i manually bring up the bridge but if i do it in openrc then it is in promisc mode?

----------

## Hu

 *dman777 wrote:*   

> if i may ask please, what is your opinion about the devices not being in promisc. mode when i manually bring up the bridge but if i do it in openrc then it is in promisc mode?

 I have always seen bridges implemented with promiscuous devices.  Is there a particular reason you care whether the device is promiscuous?

----------

## dman777

Yes, if a bridge can operate in non promisc mode then you have double layered protection. I rather the packet be dropped on the lower level by the virtual device in the bridge code before it reaches the firewall of the intended receiving host. Plus, with br0 in promisc mode, and all devices on the bridge in promisc mode because of openrc, all devices on that host will receive all packets. If that can be avoided so much the better.

----------

