Phew... I'm quite surprised by the number of replies I got.... Let's see quickly.... ----- Original Message ----- From: Michael Renzmann <mrenzmann@compulan.de> To: Chris Knipe <cgknipe@mweb.co.za> Cc: <linux-net@vger.rutgers.edu> Sent: Monday, August 07, 2000 8:46 AM Subject: Re: Forced Routing? > > Technically, as I understand it, specifying a default gateway (or a gateway > > at all) for TCP/IP routing information is irrelvent *IF* the IP addresses > > are located on the same subnet?? > > Not completly right. They will not know because of ARP that they are in > the same subnet, but with combining subnetmask with their own IP (which > results in their own network address) and combining the subnetmask with > the IP of the receiver (which results in the receivers network address). > If the own network address and the one of the receiver match, the sender > does not need to use a gateway. If the MAC address of the receiver is > not within the ARP cache, the sender sends an arp request to learn it > (maybe again). Erm, that's what I ment to say... In otherwords, in binary values, it compares the IP address against the SUBNET mask, to see whether an IP is local or remote. If the IP address is local, a gateway is not used, and if it is remote, the gateway is used :) But let's not go into binary numbers and all those fancy subnetting stuff now, as you more than likely realised, this is not really the problem. > > The question is simply, how can I firewall PC1, 2, 3 and 4 from EACH OTHER, > > without subnetting them all. If I subnet it, it firstly would mean that my > > firewall machine would need houndreds of network cards (which is physically > > impossible - seeing im practice, I'm literally talking 100+ computers in > > this farm).... > > You must distinguish between physical networks and logical networks. You > may connect thousands of computers to the same physical network (using > tons of switches :)), but when you use propper network masks you could > place each computer within its own subnet. You would need 4 addresses > per computer and subnet. One for the network itself, one for broadcasts, > one for the computer and one for the router. Subnetting is not the way to go. As stated in my previous post about the problem. If you talk about say 1000 PCs... You allready neet to use 4 class-C IP networks. Having to subnet all of this into 4 IP address subnet masks, will mean that I loose roughly a minumum of 25% of all my IP addresses. InterNIC or whoever assigns me my IP addresses is going to shoot me. The only place where I can subnet, will more than likely be at the top uplink provider of the server farm (perhaps my top level router, or firewall) where I will also specify routing tables to route these various class C networks to the server farm. > > As far as I know, it is impossible to do. UTP Hubs broadcast all the > > information received on a port, to all the other ports connected to the same > > hub. Therefor, all the machines on the same hub, will receive the > > information. On the other hand, there are a few places doing things like > > this allready, which means that technically, it MUST be possible... > > You could use one small bridging box with two ethernet interfaces for > this task. It could filter out packets just as a firewall but will be > transparent to the client behind the bridge. If a filter rule applies, > the package will just be thrown away and the rest of the network will > just not receive it. This can be done using a small linux box, in > conjunction with the advanced bridging code written by Lennert ... > (donīt know his last name, he is from the netherlands). You will find > further informations on that at http://openrock.net/bridge. Erm, no offence to you or anyone on this list intended... But I cannot see where bridging comes into the picture. As someone else also stated earlier, this is a routing issue, and routing only. With a combination of backbones, including HUBs, Switches, and perhaps 2 or 3 dedicated routers (more than likely dedicated cisco's), this will be possible. At least in theory... See, the thing is, be using bridges, I will be combining the LAN segments, once they are combined, the traffic can flow in any direction, and therefor have once again more than one path that it can follow. The idea is to have the traffic only follow one path. The shortest path right through to the outside of the firewall so that it can be filtered by the firewall on its return back into the server farm. > > Can one way of doing this perhaps be in the configuration and layout of the > > physical network (hubs, switches, and cables), perhaps in something like the > > following scenarion.... > > > > SERVER SERVER SERVER > > | | | > > HUB HUB HUB > > | | | > > ------------------------ > > | > > SWITCH > > | > > GATEWAY > > > This would only work in the way you want if you drop the hubs and use > switches instead, But simple switches are not capable of filtering > packets as they (normally) donīt understand any other layer as layer 2. The hubs are internal the the client's cabinet. (See my previous post). There is no way in that I can drop those hubs. Perhaps my previous post made the issue a bit clearer if you want to have a look at that. Kind Regards Chris Knipe - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
