Thanks once again Richard. Fantastic! Extending my original question a little further: Given that iptables doesn't filter client-2-client on the same LAN is there another way around it? Perhaps ebtables? [note: in terms of the home broadband boxes which are multi-purpose firewall-router-switch, it is possible to filter wifiClient-2lanPortClient as they appear on separate interfaces. Or that is my limited understanding) I guess if I take the ebtables idea, then the firewall becomes a bridge and only filters layer 2, thereby rendering the normal things i'd like to do with iptables ineffective. Perhaps, I've misinterpreted this. Maybe the firewall can run in both modes ebtables and iptables. I'll need to read some more into this area. The reason I ask is, imagine a scenario where, clienthacker gains access to the LAN via cracking the WiFi. It would be nice to be able to silo clienthacker from the trusted clients by iptables rules. That way, clienthacker cannot directly attack the trusted clients. And also it cannot subvert the firewall configuration via UPnP, as you've pointed out that iptables can prevent this as with trusted LAN clients. The idea would be that trusted clients A,B and C could communicate with each other but clienthacker could not communicate with them. This leaves clienthacker only access to the outside world, which in turn can be controlled as it must pass through the firewall ;-) Thanks again for the responses and for bearing with my ignorance on this subject. On Mon, Jan 25, 2010 at 9:23 AM, Richard Horton <arimus.uk@xxxxxxxxxxxxxx> wrote: > 2010/1/25 paddy joesoap <paddyjoesoap@xxxxxxxxx>: >> Dear Experts, >> >> Is it possible to control what LAN clients can administer the firewall by UPnP. > > Yes, just add the appropriate rule into the input chain (the traffic > target is the firewall itself...) > > > -- > Richard Horton > Users are like a virus: Each causing a thousand tiny crises until the > host finally dies. > http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats > http://www.pbase.com/arimus - My online photogallery > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
