Suppose you have an RPi or similar SBC running OpenWrt. You have say an onboard ethernet, and a couple of USB ethernets. You have different subnets attached to each one. Suppose they're named eth0, eth1, and eth2 when you first boot up and configure them.
How do we know that they will remain named eth0, eth1, and eth2 each time it reboots? And if they are unplugged from the USB ports and shuffled at all, will they have different names?
This seems like a security issue, because if they reboot with different names, then the subnets will be changed, and the firewall will be different... what keep this consistent?
If you make static address to them in the interfaces based on their MAC or more exact UUID if we talk about USB hardware.
That should lock the hardware to the specified interface.
I feel that the biggest security issue is really the use of RPi for router work. Yes it is possible but I don’t see the point since it has one LAN port and one WiFi. To run ethernet over USB is not a effective way to do it based on how data flow is built up in the USB standard.
Won't that just set the mac address? That's not really the issue. Suppose you have wan connected to onboard ethernet. Lan connected to one USB NIC and a DMZ connected to another USB... How do you prevent the LAN and DMZ getting switched? Or even the WAN and LAN?
afaik interfaces are switched around depending on the order in which they appear (and on boot also the order the drivers are loaded does determine how things are named).
I had developed a script that re-assignes interfaces by reading the mac address, and use it as a local package in my builds (it's installed and run as a service on boot) as my usecase was mainly to ship a pre-written config file so that if I decide to erase the config on sysupgrade it does not reset interfaces and Lan becomes whatever and I need to go and swap cables and manually change it back.
but you probably need to add it to hotplug folder as well so it's triggered every time a new network device is added/removed
This is the procd init script
#!/bin/sh /etc/rc.common
START=11
# don't run within buildroot
[ -n "${IPKG_INSTROOT}" ] && return 0
#use busybox grep as GNU grep may be set differently and break the script
grep(){
/bin/busybox 'grep' $@
}
#shutting down all interfaces, then assigning temporary name to free up interface names
#bridges and virtual interfaces are already excluded by /sys/class/net/*/device/uevent as only physical interfaces have that
for i in $( ls /sys/class/net/*/device/uevent | awk -F'/' '{print $5}' | tr '\n' ' ' ) ;
do
mac_address=$( grep $i /etc/config/mac-static-interfaces | awk '{print $3}' | tr -d '"' )
if [ "$mac_address" != '' ]; then
ip link set "$i" down
ip link set "$i" name old"$i"
fi
done
for i in $( ls /sys/class/net/*/device/uevent | awk -F'/' '{print $5}' | tr '\n' ' ' ) ;
do
mac_address=$( cat /sys/class/net/$i/address )
interface_name=$( grep -i $mac_address /etc/config/mac-static-interfaces | awk '{print $2}' )
if [ "$interface_name" != '' ]; then
ip link set "$i" down
ip link set "$i" name "$interface_name"
fi
done
and this is the config file /etc/config/mac-static-interfaces