> James Harper (james.harper@xxxxxxxxxxxxxxxx) wrote on 20 May 2006 10:22: > >I assume you have done some policy routing stuff to make the routing > >work? > > No, not necessary, just a simple list of routes. > > >That should be a clue that what you have done is a bit of a hack. > > Well, Ben, Peter and James are unanimous even in the wording :-) :) > I agree the cleanest way is to use separate IP networks but I'm using > about 65 vlans for now, and it may increase in the future. This means > I cannot do it without using invalid addresses so I preferred the other > way. How many PC's? > I'll have a look at bridging all vlans and using iptables/ebtables to > control traffic. It might be feasible if the number of rules doesn't > get too large. > As for explaining what I'm doing, I think you've all understood it but > maybe you don't believe it :-) It's really just the opposite of the usual: > instead of having each machine be able to talk to every other (this is > what the switch does), restrict communication to each machine <-> servers > only, plus some groups. Ah. This makes some sense, and I've often thought of it as a good idea - stops viruses moving around so much between workstations. You can probably do it with a decent switch, but you probably already know that. If most of the workstations are windows machines, then keeping them all on the same subnet used to be the sensible thing to do. Windows copes reasonably well these days without needing broadcasts. If server broadcasts are a requirement for whatever reason, then I think the netfilter bridge would definitely be the thing to do. Your rules should almost be as simple as: . Allow any vlan interface to send packets to server vlan interface(s) . Allow server vlan interface(s) to send packets to any vlan . Allow selected groups to send packets to each other (packet marking might be good for this, or else just put groups in their own vlan so the vlan bridge is never involved) . Allow any protocols which you might want to allow everwhere . Deny everything else James
