>> I was thinking of a typical SOHO router (combined switch, routing, nat >> and firewall) or a simple standalone linux box that has a switch (even >> outdated hub!) connected to it and then the 3 machines on the far side >> of the switch. > > With a SOHO router, it depends on how the built-in switch works. If each > ethernet port is or can be set as a separate interface (possibly through > the use of VLANs), then you can build a Linux bridge and inspect bridged > traffic with ebtables or bridge-nf + iptables. Otherwise, a plain > switch, either built-in or external) won't allow you to inspect LAN > traffic. Traffic between two machines will just flow through the switch > without hitting the firewall. > I'll look into etables, thanks for the pointer. My home router is a Linksys WRT54GL with a 4 port switch. I have installed DD-WRT on it. I just presumed, at least on a home network SOHO, that I could control access to internal LAN devices at the iptables rules level (layers 3,4 and 7 if l7-filter is inbuilt). I just took a quick look at switches and see they perform rudimentary routing at layer 2. So thanks for clearing that up. I'll do a bit of reading into etables. If I understood what you said about firewalls and switches in broad terms (possibly in an enterprise setting) I can essentially "trick", for a want of a better term, the switch to forward all traffic to the firewall for inspection regardless if the packets are outbound or not. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html