I have recently begun using 802.1q vlan's and channel bonding with my cisco switches and debian application servers to provide redundancy and bandwitdh aggregation across several internet connections with no bgp. Where I used to have 2 or 3 ethernet interfaces on different networks for each server, now I have one bonded interface and 3 or more vlan network interfaces for each server.
I'd like to do the same thing with a firewall, but I don't really understand the security implications. All of the ports on all of these switches are configured right now to be on one vlan or another, except for the vlan+bonded debian servers which are in trunk mode. Those have ip's configured only on the bonded vlan interfaces like bond0.433, but I can still see traffic both for eth0,eth1, etc, and for the bonded interface bond0. My question is this: Can I treat say bond0.433 and bond0.434 as completely seperate interfaces for iptables purposes? What I mean to say is, I know I can do it, can I do it as safely as the old fashioned method of configuring one port to be vlan 433 and one on 434, one internal, one external, or with putting a firewall in-line with each internet connection? It would make some new applications possible, like providing firewall service for many internal vlan's from the same set of firewall hosts with different ruleset's for each vlan, and the ruleset's are a little more mistake proof because I can write them for each vlan interface instead of an ip range. Also, it would make it very easy to quarantine a vlan as soon as snort detects outgoing worms from a host in it. That way they can't do anything but infect each other until the problem gets fixed. Many of our customers for some reason use a very virus-prone operating system which will inevitably become infected with one exploit or another and begin attacking the rest of the internet through my gateways.... thanks for your advice, --John
