Create New Interface, Security Levels?Not able to connect to local network14.04 no internet connection when I up the bridge interface (for LXC container)Dual NIC not workingPages loading too long on new router (Ubuntu 18.04)

Why did quill pens persist until the early 19th century despite the capacity to make metal dip pens?

How can you coordinate an attack against a monster that cannot be gazed upon?

What helped Einstein to provide a more accurate description of gravity than Newton?

How to help my son improve without being discouraging?

Practically, how does an 'observer' collapse a wave function?

How can I run a cable past a horizontal block between studs in my wall?

Why is English not a regular language?

"bees" -> "hive" in 5 letter changes or fewer

Does microwaving food create particles that are not created when warming food by conventional means?

Why do some PCBs have the courtyard in the silkscreen layer?

What does it mean to support the brexit deal but need more time to scrutinise it?

Can only rich people become president?

SQL Server trusted connection additional security

Authentication versus Authorisation

Best way to get my money back from a friend having family problems

What are the applications of the Mean Value Theorem?

How can I tell if I have simplified my talk too much?

How do we distinguish old craters from new ones on the Moon?

Is it okay to have an email address called "SS"?

Why do non-aerobatic aircraft have a negative G limit?

Why derailleur guard is present only on more affordable bicycles

replacing single quotes with double quote in a file

Dealing with recruiters who clearly didn't look at my resume

“These days are over” vs. “those days are over”



Create New Interface, Security Levels?


Not able to connect to local network14.04 no internet connection when I up the bridge interface (for LXC container)Dual NIC not workingPages loading too long on new router (Ubuntu 18.04)






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









0

















I've just brought up a new virtualized Ubuntu machine (image file: ubuntu-18.04-server-cloudimg-amd64.img) and when it spun up, it automatically created an interface that connected to the host:



root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
 inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
 RX packets 816060 bytes 59441737 (59.4 MB)
 RX errors 0 dropped 39912 overruns 0 frame 0
 TX packets 775552 bytes 66017744 (66.0 MB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ubuntu:~#


The IPv4 and MAC addresses were assigned by the host, and I can SSH into the Ubuntu VM just fine with the 192.0.2.100 IP address. The interface works just great.



So far, so good. But I have a need to create two other interfaces, so I did so using "ifconfig":



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24
root@ubuntu:~#
root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
 inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
 ...etc...

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 10.0.0.10 netmask 255.255.255.0 broadcast 10.0.0.255
 inet6 fe80::f6a7:39ff:fe24:6fd2 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d2 txqueuelen 1000 (Ethernet)
 ...etc...

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 10.10.10.200 netmask 255.255.255.0 broadcast 192.168.71.255
 inet6 fe80::f6a7:39ff:fe24:6fda prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:da txqueuelen 1000 (Ethernet)
 ...etc...

root@ubuntu:~#


Note that the new interfaces MUST use these assigned IPs, I can't rely on DHCP for addresses.



I note that from other servers on the 10.10.10.x network, I can ping the Ubuntu VM on 10.10.10.200. So Network Layer 3 is working.



Here's the problem... While I can ping 10.10.10.200, I can't SSH, FTP, netcat, or do anything TCP to the same IP address. Attempted connections time out. When I tcpdump on Ubuntu, I can see the beginnings of the TCP handshake, but it looks like the connection is never established:



root@ubuntu:~# tcpdump -i ens5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:05.171265 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621364955 ecr 0,nop,wscale 9], length 0
19:08:05.171295 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132539741 ecr 2621364955,nop,wscale 7], length 0
19:08:06.171804 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621365956 ecr 0,nop,wscale 9], length 0
19:08:06.171824 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132540741 ecr 2621364955,nop,wscale 7], length 0
^C
root@ubuntu:~#


At this point, I'm assuming the problem lies in how I created the new ens4 and ens5 interfaces; I just used the "ipconfig" command with a minimum of options:



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24


I know that in RedHat, interfaces are assigned security levels or zones or something and if you want to get all traffic through the interface, you have to make sure those settings are correct. But I can't seem to find any similar information in the Ubuntu world.



So... Am I taking a too-simplistic approach to creating these interfaces? Is there a better way? Or are my woes caused by something else?



Many thanks!






networking 18.04 security interface







share|improve this question


























  • Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

    – Thomas Ward
    Jun 14 at 15:36











  • @ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

    – Pete
    Jun 14 at 18:09











  • by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

    – Thomas Ward
    Jun 14 at 19:09












  • @ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

    – Pete
    Jun 14 at 19:57











  • You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

    – Thomas Ward
    Jun 14 at 20:07

















0

















I've just brought up a new virtualized Ubuntu machine (image file: ubuntu-18.04-server-cloudimg-amd64.img) and when it spun up, it automatically created an interface that connected to the host:



root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
 inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
 RX packets 816060 bytes 59441737 (59.4 MB)
 RX errors 0 dropped 39912 overruns 0 frame 0
 TX packets 775552 bytes 66017744 (66.0 MB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ubuntu:~#


The IPv4 and MAC addresses were assigned by the host, and I can SSH into the Ubuntu VM just fine with the 192.0.2.100 IP address. The interface works just great.



So far, so good. But I have a need to create two other interfaces, so I did so using "ifconfig":



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24
root@ubuntu:~#
root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
 inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
 ...etc...

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 10.0.0.10 netmask 255.255.255.0 broadcast 10.0.0.255
 inet6 fe80::f6a7:39ff:fe24:6fd2 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d2 txqueuelen 1000 (Ethernet)
 ...etc...

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 10.10.10.200 netmask 255.255.255.0 broadcast 192.168.71.255
 inet6 fe80::f6a7:39ff:fe24:6fda prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:da txqueuelen 1000 (Ethernet)
 ...etc...

root@ubuntu:~#


Note that the new interfaces MUST use these assigned IPs, I can't rely on DHCP for addresses.



I note that from other servers on the 10.10.10.x network, I can ping the Ubuntu VM on 10.10.10.200. So Network Layer 3 is working.



Here's the problem... While I can ping 10.10.10.200, I can't SSH, FTP, netcat, or do anything TCP to the same IP address. Attempted connections time out. When I tcpdump on Ubuntu, I can see the beginnings of the TCP handshake, but it looks like the connection is never established:



root@ubuntu:~# tcpdump -i ens5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:05.171265 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621364955 ecr 0,nop,wscale 9], length 0
19:08:05.171295 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132539741 ecr 2621364955,nop,wscale 7], length 0
19:08:06.171804 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621365956 ecr 0,nop,wscale 9], length 0
19:08:06.171824 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132540741 ecr 2621364955,nop,wscale 7], length 0
^C
root@ubuntu:~#


At this point, I'm assuming the problem lies in how I created the new ens4 and ens5 interfaces; I just used the "ipconfig" command with a minimum of options:



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24


I know that in RedHat, interfaces are assigned security levels or zones or something and if you want to get all traffic through the interface, you have to make sure those settings are correct. But I can't seem to find any similar information in the Ubuntu world.



So... Am I taking a too-simplistic approach to creating these interfaces? Is there a better way? Or are my woes caused by something else?



Many thanks!






networking 18.04 security interface







share|improve this question


























  • Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

    – Thomas Ward
    Jun 14 at 15:36











  • @ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

    – Pete
    Jun 14 at 18:09











  • by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

    – Thomas Ward
    Jun 14 at 19:09












  • @ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

    – Pete
    Jun 14 at 19:57











  • You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

    – Thomas Ward
    Jun 14 at 20:07













0












0








0








I've just brought up a new virtualized Ubuntu machine (image file: ubuntu-18.04-server-cloudimg-amd64.img) and when it spun up, it automatically created an interface that connected to the host:



root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
 inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
 RX packets 816060 bytes 59441737 (59.4 MB)
 RX errors 0 dropped 39912 overruns 0 frame 0
 TX packets 775552 bytes 66017744 (66.0 MB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ubuntu:~#


The IPv4 and MAC addresses were assigned by the host, and I can SSH into the Ubuntu VM just fine with the 192.0.2.100 IP address. The interface works just great.



So far, so good. But I have a need to create two other interfaces, so I did so using "ifconfig":



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24
root@ubuntu:~#
root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
 inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
 ...etc...

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 10.0.0.10 netmask 255.255.255.0 broadcast 10.0.0.255
 inet6 fe80::f6a7:39ff:fe24:6fd2 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d2 txqueuelen 1000 (Ethernet)
 ...etc...

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 10.10.10.200 netmask 255.255.255.0 broadcast 192.168.71.255
 inet6 fe80::f6a7:39ff:fe24:6fda prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:da txqueuelen 1000 (Ethernet)
 ...etc...

root@ubuntu:~#


Note that the new interfaces MUST use these assigned IPs, I can't rely on DHCP for addresses.



I note that from other servers on the 10.10.10.x network, I can ping the Ubuntu VM on 10.10.10.200. So Network Layer 3 is working.



Here's the problem... While I can ping 10.10.10.200, I can't SSH, FTP, netcat, or do anything TCP to the same IP address. Attempted connections time out. When I tcpdump on Ubuntu, I can see the beginnings of the TCP handshake, but it looks like the connection is never established:



root@ubuntu:~# tcpdump -i ens5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:05.171265 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621364955 ecr 0,nop,wscale 9], length 0
19:08:05.171295 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132539741 ecr 2621364955,nop,wscale 7], length 0
19:08:06.171804 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621365956 ecr 0,nop,wscale 9], length 0
19:08:06.171824 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132540741 ecr 2621364955,nop,wscale 7], length 0
^C
root@ubuntu:~#


At this point, I'm assuming the problem lies in how I created the new ens4 and ens5 interfaces; I just used the "ipconfig" command with a minimum of options:



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24


I know that in RedHat, interfaces are assigned security levels or zones or something and if you want to get all traffic through the interface, you have to make sure those settings are correct. But I can't seem to find any similar information in the Ubuntu world.



So... Am I taking a too-simplistic approach to creating these interfaces? Is there a better way? Or are my woes caused by something else?



Many thanks!






networking 18.04 security interface







share|improve this question















I've just brought up a new virtualized Ubuntu machine (image file: ubuntu-18.04-server-cloudimg-amd64.img) and when it spun up, it automatically created an interface that connected to the host:



root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
 inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
 RX packets 816060 bytes 59441737 (59.4 MB)
 RX errors 0 dropped 39912 overruns 0 frame 0
 TX packets 775552 bytes 66017744 (66.0 MB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ubuntu:~#


The IPv4 and MAC addresses were assigned by the host, and I can SSH into the Ubuntu VM just fine with the 192.0.2.100 IP address. The interface works just great.



So far, so good. But I have a need to create two other interfaces, so I did so using "ifconfig":



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24
root@ubuntu:~#
root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
 inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
 ...etc...

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 10.0.0.10 netmask 255.255.255.0 broadcast 10.0.0.255
 inet6 fe80::f6a7:39ff:fe24:6fd2 prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:d2 txqueuelen 1000 (Ethernet)
 ...etc...

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 10.10.10.200 netmask 255.255.255.0 broadcast 192.168.71.255
 inet6 fe80::f6a7:39ff:fe24:6fda prefixlen 64 scopeid 0x20<link>
 ether f4:a7:39:24:6f:da txqueuelen 1000 (Ethernet)
 ...etc...

root@ubuntu:~#


Note that the new interfaces MUST use these assigned IPs, I can't rely on DHCP for addresses.



I note that from other servers on the 10.10.10.x network, I can ping the Ubuntu VM on 10.10.10.200. So Network Layer 3 is working.



Here's the problem... While I can ping 10.10.10.200, I can't SSH, FTP, netcat, or do anything TCP to the same IP address. Attempted connections time out. When I tcpdump on Ubuntu, I can see the beginnings of the TCP handshake, but it looks like the connection is never established:



root@ubuntu:~# tcpdump -i ens5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:05.171265 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621364955 ecr 0,nop,wscale 9], length 0
19:08:05.171295 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132539741 ecr 2621364955,nop,wscale 7], length 0
19:08:06.171804 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621365956 ecr 0,nop,wscale 9], length 0
19:08:06.171824 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132540741 ecr 2621364955,nop,wscale 7], length 0
^C
root@ubuntu:~#


At this point, I'm assuming the problem lies in how I created the new ens4 and ens5 interfaces; I just used the "ipconfig" command with a minimum of options:



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24


I know that in RedHat, interfaces are assigned security levels or zones or something and if you want to get all traffic through the interface, you have to make sure those settings are correct. But I can't seem to find any similar information in the Ubuntu world.



So... Am I taking a too-simplistic approach to creating these interfaces? Is there a better way? Or are my woes caused by something else?



Many thanks!






networking 18.04 security interface




networking 18.04 security interface






share|improve this question














share|improve this question











share|improve this question




share|improve this question










asked Jun 14 at 15:34









PetePete

1011 bronze badge




1011 bronze badge















  • Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

    – Thomas Ward
    Jun 14 at 15:36











  • @ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

    – Pete
    Jun 14 at 18:09











  • by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

    – Thomas Ward
    Jun 14 at 19:09












  • @ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

    – Pete
    Jun 14 at 19:57











  • You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

    – Thomas Ward
    Jun 14 at 20:07

















  • Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

    – Thomas Ward
    Jun 14 at 15:36











  • @ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

    – Pete
    Jun 14 at 18:09











  • by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

    – Thomas Ward
    Jun 14 at 19:09












  • @ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

    – Pete
    Jun 14 at 19:57











  • You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

    – Thomas Ward
    Jun 14 at 20:07
















Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

– Thomas Ward
Jun 14 at 15:36





Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

– Thomas Ward
Jun 14 at 15:36













@ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

– Pete
Jun 14 at 18:09





@ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

– Pete
Jun 14 at 18:09













by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

– Thomas Ward
Jun 14 at 19:09






by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

– Thomas Ward
Jun 14 at 19:09














@ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

– Pete
Jun 14 at 19:57





@ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

– Pete
Jun 14 at 19:57













You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

– Thomas Ward
Jun 14 at 20:07





You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

– Thomas Ward
Jun 14 at 20:07










0






active

oldest

votes













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1151101%2fcreate-new-interface-security-levels%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1151101%2fcreate-new-interface-security-levels%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









-

Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Image
Fering ArtiikelDrawiidisk Spriiken SölringÖömrangFeringHalunderHalifreeskMooringWiringhiirderKarhiirderGooshiirderDrawiidisk SpriikTamil NaduIndienSri Lanka (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesische
Read more

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Image
Why didn't the Universal Translator speak whale? What is /dev/null and why can't I use hx on it? The work of mathematicians outside their professional environment Does the DOJ's declining to investigate the Trump-Zelensky call ruin the basis for impeachment? Are there any tricks to pushing a grand piano? Maintaining distance Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit? Object Oriented Design: Where to place behavior that pertains to more than one type of object? Choice of solvent during thin layer chromatography How to catch creatures that can predict the next few minutes? Use floats or doubles when writing mobile games How come the Russian cognate for the Czech word "čerstvý" (fresh) means entirely the opposite thing (stale)? What are the limits on an impeached and not convicted president? How to calculate Limit of this sequence Bash-script as linux-service won't run, but executed
Read more

Where does the image of a data connector as a sharp metal spike originate from?Where does the concept of infected people turning into zombies only after death originate from?Where does the motif of a reanimated human head originate?Where did the notion that Dragons could speak originate?Where does the archetypal image of the 'Grey' alien come from?Where did the suffix '-Man' originate?Where does the notion of being injured or killed by an illusion originate?Where did the term “sophont” originate?Where does the trope of magic spells being driven by advanced technology originate from?Where did the term “the living impaired” originate?

Image
Automatically extend a Python list to N elements if it's too short? Fired for a policy I didnt know about, as well as another false reason Why isn't tilde recognised as home folder in this case? When does an Artillerist's Cannon have disadvantage? How large should a hole be for a bolt to go through? When is TeX better than LaTeX? How to determine if drill is suitable for concrete? Huygens Lander: Why The Short Battery Life? Why do people use bigger cassettes for lower gearing when they could instead use smaller chainrings? Is there a difference between downloading / installing a list of packages and downloading each packge by its own? Question about exercise 21.10 in The TeXbook How to publish a page using tridion core service client in sdl web 8.5 Can one get into trouble if one doesn't show up at the gate 30 minutes before departure (or whatever time window the boarding pass is indicating)? Does an action-reaction pair always contain the same
Read more