Hi Chris. > Technically, as I understand it, specifying a default gateway (or a gateway > at all) for TCP/IP routing information is irrelvent *IF* the IP addresses > are located on the same subnet?? Not completly right. They will not know because of ARP that they are in the same subnet, but with combining subnetmask with their own IP (which results in their own network address) and combining the subnetmask with the IP of the receiver (which results in the receivers network address). If the own network address and the one of the receiver match, the sender does not need to use a gateway. If the MAC address of the receiver is not within the ARP cache, the sender sends an arp request to learn it (maybe again). > The question is simply, how can I firewall PC1, 2, 3 and 4 from EACH OTHER, > without subnetting them all. If I subnet it, it firstly would mean that my > firewall machine would need houndreds of network cards (which is physically > impossible - seeing im practice, I'm literally talking 100+ computers in > this farm).... You must distinguish between physical networks and logical networks. You may connect thousands of computers to the same physical network (using tons of switches :)), but when you use propper network masks you could place each computer within its own subnet. You would need 4 addresses per computer and subnet. One for the network itself, one for broadcasts, one for the computer and one for the router. > Secondly, data from PC1 directed to PC2 WILL NOT be routed > by the FIREWLL machine, but will only be broadcasted back to the > destination, because of the features and workings of UTP HUBs, and TCP/IP > routing.... It would physically remain on the network, that is correct. But logically it will reach the receiver only if it passes the router. > So how do I get my gateway machine (firewall) to protect the entire server > farm from the outside world (this is fairly simple, I just stick a second > NIC in it and set the firewall up), but also haev the gateway to protect the > machines from each other INSIDE the firewall? With a huge server farm this is getting tricky. One thing you could do is building filtering bridges. But then you really would need one ethernet port per computer, this would cause lots of costs. > As far as I know, it is impossible to do. UTP Hubs broadcast all the > information received on a port, to all the other ports connected to the same > hub. Therefor, all the machines on the same hub, will receive the > information. On the other hand, there are a few places doing things like > this allready, which means that technically, it MUST be possible... You could use one small bridging box with two ethernet interfaces for this task. It could filter out packets just as a firewall but will be transparent to the client behind the bridge. If a filter rule applies, the package will just be thrown away and the rest of the network will just not receive it. This can be done using a small linux box, in conjunction with the advanced bridging code written by Lennert ... (donīt know his last name, he is from the netherlands). You will find further informations on that at http://openrock.net/bridge. > Can one way of doing this perhaps be in the configuration and layout of the > physical network (hubs, switches, and cables), perhaps in something like the > following scenarion.... > > SERVER SERVER SERVER > | | | > HUB HUB HUB > | | | > ------------------------ > | > SWITCH > | > GATEWAY This would only work in the way you want if you drop the hubs and use switches instead, But simple switches are not capable of filtering packets as they (normally) donīt understand any other layer as layer 2. > ANY help will greately be appreciated, and I look forward to your replies. Hope this helps a bit. Bye, Mike - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
