Create New Interface, Security Levels?Not able to connect to local network14.04 no internet connection when I up the bridge interface (for LXC container)Dual NIC not workingPages loading too long on new router (Ubuntu 18.04)

Why did quill pens persist until the early 19th century despite the capacity to make metal dip pens?

How can you coordinate an attack against a monster that cannot be gazed upon?

What helped Einstein to provide a more accurate description of gravity than Newton?

How to help my son improve without being discouraging?

Practically, how does an 'observer' collapse a wave function?

How can I run a cable past a horizontal block between studs in my wall?

Why is English not a regular language?

"bees" -> "hive" in 5 letter changes or fewer

Does microwaving food create particles that are not created when warming food by conventional means?

Why do some PCBs have the courtyard in the silkscreen layer?

What does it mean to support the brexit deal but need more time to scrutinise it?

Can only rich people become president?

SQL Server trusted connection additional security

Authentication versus Authorisation

Best way to get my money back from a friend having family problems

What are the applications of the Mean Value Theorem?

How can I tell if I have simplified my talk too much?

How do we distinguish old craters from new ones on the Moon?

Is it okay to have an email address called "SS"?

Why do non-aerobatic aircraft have a negative G limit?

Why derailleur guard is present only on more affordable bicycles

replacing single quotes with double quote in a file

Dealing with recruiters who clearly didn't look at my resume

“These days are over” vs. “those days are over”



Create New Interface, Security Levels?


Not able to connect to local network14.04 no internet connection when I up the bridge interface (for LXC container)Dual NIC not workingPages loading too long on new router (Ubuntu 18.04)






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









0

















I've just brought up a new virtualized Ubuntu machine (image file: ubuntu-18.04-server-cloudimg-amd64.img) and when it spun up, it automatically created an interface that connected to the host:



root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
RX packets 816060 bytes 59441737 (59.4 MB)
RX errors 0 dropped 39912 overruns 0 frame 0
TX packets 775552 bytes 66017744 (66.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ubuntu:~#


The IPv4 and MAC addresses were assigned by the host, and I can SSH into the Ubuntu VM just fine with the 192.0.2.100 IP address. The interface works just great.



So far, so good. But I have a need to create two other interfaces, so I did so using "ifconfig":



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24
root@ubuntu:~#
root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
...etc...

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.10 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::f6a7:39ff:fe24:6fd2 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d2 txqueuelen 1000 (Ethernet)
...etc...

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.200 netmask 255.255.255.0 broadcast 192.168.71.255
inet6 fe80::f6a7:39ff:fe24:6fda prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:da txqueuelen 1000 (Ethernet)
...etc...

root@ubuntu:~#


Note that the new interfaces MUST use these assigned IPs, I can't rely on DHCP for addresses.



I note that from other servers on the 10.10.10.x network, I can ping the Ubuntu VM on 10.10.10.200. So Network Layer 3 is working.



Here's the problem... While I can ping 10.10.10.200, I can't SSH, FTP, netcat, or do anything TCP to the same IP address. Attempted connections time out. When I tcpdump on Ubuntu, I can see the beginnings of the TCP handshake, but it looks like the connection is never established:



root@ubuntu:~# tcpdump -i ens5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:05.171265 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621364955 ecr 0,nop,wscale 9], length 0
19:08:05.171295 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132539741 ecr 2621364955,nop,wscale 7], length 0
19:08:06.171804 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621365956 ecr 0,nop,wscale 9], length 0
19:08:06.171824 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132540741 ecr 2621364955,nop,wscale 7], length 0
^C
root@ubuntu:~#


At this point, I'm assuming the problem lies in how I created the new ens4 and ens5 interfaces; I just used the "ipconfig" command with a minimum of options:



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24


I know that in RedHat, interfaces are assigned security levels or zones or something and if you want to get all traffic through the interface, you have to make sure those settings are correct. But I can't seem to find any similar information in the Ubuntu world.



So... Am I taking a too-simplistic approach to creating these interfaces? Is there a better way? Or are my woes caused by something else?



Many thanks!










share|improve this question


























  • Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

    – Thomas Ward
    Jun 14 at 15:36











  • @ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

    – Pete
    Jun 14 at 18:09











  • by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

    – Thomas Ward
    Jun 14 at 19:09












  • @ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

    – Pete
    Jun 14 at 19:57











  • You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

    – Thomas Ward
    Jun 14 at 20:07

















0

















I've just brought up a new virtualized Ubuntu machine (image file: ubuntu-18.04-server-cloudimg-amd64.img) and when it spun up, it automatically created an interface that connected to the host:



root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
RX packets 816060 bytes 59441737 (59.4 MB)
RX errors 0 dropped 39912 overruns 0 frame 0
TX packets 775552 bytes 66017744 (66.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ubuntu:~#


The IPv4 and MAC addresses were assigned by the host, and I can SSH into the Ubuntu VM just fine with the 192.0.2.100 IP address. The interface works just great.



So far, so good. But I have a need to create two other interfaces, so I did so using "ifconfig":



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24
root@ubuntu:~#
root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
...etc...

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.10 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::f6a7:39ff:fe24:6fd2 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d2 txqueuelen 1000 (Ethernet)
...etc...

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.200 netmask 255.255.255.0 broadcast 192.168.71.255
inet6 fe80::f6a7:39ff:fe24:6fda prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:da txqueuelen 1000 (Ethernet)
...etc...

root@ubuntu:~#


Note that the new interfaces MUST use these assigned IPs, I can't rely on DHCP for addresses.



I note that from other servers on the 10.10.10.x network, I can ping the Ubuntu VM on 10.10.10.200. So Network Layer 3 is working.



Here's the problem... While I can ping 10.10.10.200, I can't SSH, FTP, netcat, or do anything TCP to the same IP address. Attempted connections time out. When I tcpdump on Ubuntu, I can see the beginnings of the TCP handshake, but it looks like the connection is never established:



root@ubuntu:~# tcpdump -i ens5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:05.171265 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621364955 ecr 0,nop,wscale 9], length 0
19:08:05.171295 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132539741 ecr 2621364955,nop,wscale 7], length 0
19:08:06.171804 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621365956 ecr 0,nop,wscale 9], length 0
19:08:06.171824 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132540741 ecr 2621364955,nop,wscale 7], length 0
^C
root@ubuntu:~#


At this point, I'm assuming the problem lies in how I created the new ens4 and ens5 interfaces; I just used the "ipconfig" command with a minimum of options:



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24


I know that in RedHat, interfaces are assigned security levels or zones or something and if you want to get all traffic through the interface, you have to make sure those settings are correct. But I can't seem to find any similar information in the Ubuntu world.



So... Am I taking a too-simplistic approach to creating these interfaces? Is there a better way? Or are my woes caused by something else?



Many thanks!










share|improve this question


























  • Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

    – Thomas Ward
    Jun 14 at 15:36











  • @ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

    – Pete
    Jun 14 at 18:09











  • by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

    – Thomas Ward
    Jun 14 at 19:09












  • @ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

    – Pete
    Jun 14 at 19:57











  • You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

    – Thomas Ward
    Jun 14 at 20:07













0












0








0








I've just brought up a new virtualized Ubuntu machine (image file: ubuntu-18.04-server-cloudimg-amd64.img) and when it spun up, it automatically created an interface that connected to the host:



root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
RX packets 816060 bytes 59441737 (59.4 MB)
RX errors 0 dropped 39912 overruns 0 frame 0
TX packets 775552 bytes 66017744 (66.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ubuntu:~#


The IPv4 and MAC addresses were assigned by the host, and I can SSH into the Ubuntu VM just fine with the 192.0.2.100 IP address. The interface works just great.



So far, so good. But I have a need to create two other interfaces, so I did so using "ifconfig":



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24
root@ubuntu:~#
root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
...etc...

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.10 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::f6a7:39ff:fe24:6fd2 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d2 txqueuelen 1000 (Ethernet)
...etc...

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.200 netmask 255.255.255.0 broadcast 192.168.71.255
inet6 fe80::f6a7:39ff:fe24:6fda prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:da txqueuelen 1000 (Ethernet)
...etc...

root@ubuntu:~#


Note that the new interfaces MUST use these assigned IPs, I can't rely on DHCP for addresses.



I note that from other servers on the 10.10.10.x network, I can ping the Ubuntu VM on 10.10.10.200. So Network Layer 3 is working.



Here's the problem... While I can ping 10.10.10.200, I can't SSH, FTP, netcat, or do anything TCP to the same IP address. Attempted connections time out. When I tcpdump on Ubuntu, I can see the beginnings of the TCP handshake, but it looks like the connection is never established:



root@ubuntu:~# tcpdump -i ens5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:05.171265 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621364955 ecr 0,nop,wscale 9], length 0
19:08:05.171295 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132539741 ecr 2621364955,nop,wscale 7], length 0
19:08:06.171804 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621365956 ecr 0,nop,wscale 9], length 0
19:08:06.171824 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132540741 ecr 2621364955,nop,wscale 7], length 0
^C
root@ubuntu:~#


At this point, I'm assuming the problem lies in how I created the new ens4 and ens5 interfaces; I just used the "ipconfig" command with a minimum of options:



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24


I know that in RedHat, interfaces are assigned security levels or zones or something and if you want to get all traffic through the interface, you have to make sure those settings are correct. But I can't seem to find any similar information in the Ubuntu world.



So... Am I taking a too-simplistic approach to creating these interfaces? Is there a better way? Or are my woes caused by something else?



Many thanks!










share|improve this question















I've just brought up a new virtualized Ubuntu machine (image file: ubuntu-18.04-server-cloudimg-amd64.img) and when it spun up, it automatically created an interface that connected to the host:



root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
RX packets 816060 bytes 59441737 (59.4 MB)
RX errors 0 dropped 39912 overruns 0 frame 0
TX packets 775552 bytes 66017744 (66.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ubuntu:~#


The IPv4 and MAC addresses were assigned by the host, and I can SSH into the Ubuntu VM just fine with the 192.0.2.100 IP address. The interface works just great.



So far, so good. But I have a need to create two other interfaces, so I did so using "ifconfig":



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24
root@ubuntu:~#
root@ubuntu:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.0.2.100 netmask 255.255.255.0 broadcast 192.0.2.255
inet6 fe80::f6a7:39ff:fe24:6fd3 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d3 txqueuelen 1000 (Ethernet)
...etc...

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.10 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::f6a7:39ff:fe24:6fd2 prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:d2 txqueuelen 1000 (Ethernet)
...etc...

ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.200 netmask 255.255.255.0 broadcast 192.168.71.255
inet6 fe80::f6a7:39ff:fe24:6fda prefixlen 64 scopeid 0x20<link>
ether f4:a7:39:24:6f:da txqueuelen 1000 (Ethernet)
...etc...

root@ubuntu:~#


Note that the new interfaces MUST use these assigned IPs, I can't rely on DHCP for addresses.



I note that from other servers on the 10.10.10.x network, I can ping the Ubuntu VM on 10.10.10.200. So Network Layer 3 is working.



Here's the problem... While I can ping 10.10.10.200, I can't SSH, FTP, netcat, or do anything TCP to the same IP address. Attempted connections time out. When I tcpdump on Ubuntu, I can see the beginnings of the TCP handshake, but it looks like the connection is never established:



root@ubuntu:~# tcpdump -i ens5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
19:08:05.171265 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621364955 ecr 0,nop,wscale 9], length 0
19:08:05.171295 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132539741 ecr 2621364955,nop,wscale 7], length 0
19:08:06.171804 IP 10.10.10.10.46988 > ubuntu.ssh: Flags [S], seq 4112466036, win 29200, options [mss 1460,sackOK,TS val 2621365956 ecr 0,nop,wscale 9], length 0
19:08:06.171824 IP ubuntu.ssh > 10.10.10.10.46988: Flags [S.], seq 2729080149, ack 4112466037, win 28960, options [mss 1460,sackOK,TS val 3132540741 ecr 2621364955,nop,wscale 7], length 0
^C
root@ubuntu:~#


At this point, I'm assuming the problem lies in how I created the new ens4 and ens5 interfaces; I just used the "ipconfig" command with a minimum of options:



root@ubuntu:~# ifconfig ens4 10.0.0.10/24
root@ubuntu:~# ifconfig ens5 10.10.10.200/24


I know that in RedHat, interfaces are assigned security levels or zones or something and if you want to get all traffic through the interface, you have to make sure those settings are correct. But I can't seem to find any similar information in the Ubuntu world.



So... Am I taking a too-simplistic approach to creating these interfaces? Is there a better way? Or are my woes caused by something else?



Many thanks!







networking 18.04 security interface






share|improve this question














share|improve this question











share|improve this question




share|improve this question










asked Jun 14 at 15:34









PetePete

1011 bronze badge




1011 bronze badge















  • Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

    – Thomas Ward
    Jun 14 at 15:36











  • @ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

    – Pete
    Jun 14 at 18:09











  • by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

    – Thomas Ward
    Jun 14 at 19:09












  • @ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

    – Pete
    Jun 14 at 19:57











  • You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

    – Thomas Ward
    Jun 14 at 20:07

















  • Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

    – Thomas Ward
    Jun 14 at 15:36











  • @ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

    – Pete
    Jun 14 at 18:09











  • by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

    – Thomas Ward
    Jun 14 at 19:09












  • @ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

    – Pete
    Jun 14 at 19:57











  • You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

    – Thomas Ward
    Jun 14 at 20:07
















Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

– Thomas Ward
Jun 14 at 15:36





Security Levels in RHEL trace to firewall policies, you would need to set up firewall rules for traffic restrictions if you intended to do that. Have you considered setting static IPs with Netplan for those interfaces? You will also need to pick the ‘default’ interface as well in routing rules to make that work right as well.

– Thomas Ward
Jun 14 at 15:36













@ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

– Pete
Jun 14 at 18:09





@ThomasWard Thanks Thomas! I currently have the Ubuntu's ufw disabled, under the theory that if the firewall is shut off, traffic will flow freely. No luck, however. Are you saying that I'd need to enable ufw and basically do a "PERMIT ALL" firewall rule?

– Pete
Jun 14 at 18:09













by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

– Thomas Ward
Jun 14 at 19:09






by 'flow freely' what do you mean? Flowing via subnets properly? Is this box acting as a router? That won't happen unless you configure NAT rules properly at the iptables level not the UFW level. Which you'd have to do in RHEL as well, but its 'security levels' is probably a SPECIALIZED RHEL build to take the place of a router and automatically handle the NAT rules.

– Thomas Ward
Jun 14 at 19:09














@ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

– Pete
Jun 14 at 19:57





@ThomasWard Good question. This Ubuntu is intended to be an end host, specifically an IPFIX collector. All it has to do is receive incoming IPFIX data records and SSH management traffic. What is driving me nuts is that currently the Ubuntu VM accepts ICMP packets, but no TCP or UDP traffic. I set up an "ACCEPT ANY ANY" firewall rule in ufw but that didn't have any effect. I do see iptables is running and has a lot of rules permitting ICMP, which makes me think you're on to something here. I don't know much about how ufw and iptables work together, but I assume I'll need to config both?

– Pete
Jun 14 at 19:57













You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

– Thomas Ward
Jun 14 at 20:07





You would have to configure one or the other. I am currently not near a computer or I would pull you into chat to discuss what you need to achieve.

– Thomas Ward
Jun 14 at 20:07










0






active

oldest

votes













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1151101%2fcreate-new-interface-security-levels%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1151101%2fcreate-new-interface-security-levels%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?