Re: Beginner Question on restricting traffic within the same subnet.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>> I was thinking of a typical SOHO router (combined switch, routing, nat
>> and firewall) or a simple standalone linux box that has a switch (even
>> outdated hub!) connected to it and then the 3 machines on the far side
>> of the switch.
>
> With a SOHO router, it depends on how the built-in switch works. If each
> ethernet port is or can be set as a separate interface (possibly through
> the use of VLANs), then you can build a Linux bridge and inspect bridged
> traffic with ebtables or bridge-nf + iptables. Otherwise, a plain
> switch, either built-in or external) won't allow you to inspect LAN
> traffic. Traffic between two machines will just flow through the switch
> without hitting the firewall.
>

I'll look into etables, thanks for the pointer.

My home router is a Linksys WRT54GL with a 4 port switch. I have
installed DD-WRT on it.

I just presumed, at least on a home network SOHO, that I could control
access to internal LAN devices at the iptables rules level (layers 3,4
and 7 if l7-filter is inbuilt).

I just took a quick look at switches and see they perform rudimentary
routing at layer 2. So thanks for clearing that up. I'll do a bit of
reading into etables.

If I understood what you said about firewalls and switches in broad
terms (possibly in an enterprise setting)  I can essentially  "trick",
for a want of a better term, the switch to forward all traffic to the
firewall for inspection regardless if the packets are outbound or not.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux