Firewall Wizards mailing list archives

Re: Is it possible to control access between clients on same LAN with a firewall?

From: Eric Gearhart <eric () nixwizard net>
Date: Tue, 26 Jan 2010 20:47:30 -0700

On Mon, Jan 25, 2010 at 9:21 AM, William Fitzgerald
<wfitzgerald () 4c ucc ie> wrote:


I was just wondering how people control access amongst machines on the same
subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so
iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the
firewall itself or forwarded through the firewall towards another network,
the firewall will not protect machines behind the firewall from each other.
Perhaps as a result of the built-in switch, packets don't get up to layer 3
and so the firewall is oblivious to inter-LAN packet traffic.

It would be nice to be able to restrict some LAN clients from talking to
each other, perhaps by layer 3 filtering. For example, it may make sense to
prohibit the network printer from talking to a web server and vice versa.



You sound like you might already know this, but I may as well
summarize it for the audience. Normally in "production networks" you
separate different servers on a network based on their purpose... for
example, application servers go into an "application VLAN," database
servers go into a "database VLAN," and publicly accessible servers go
in their own separate DMZ (preferably they also hang off their own
separate "DMZ" firewall appliance as well...)

I know that's a lot of "overarchitecting" for what you need, but your
DD-WRT does support breaking interfaces into separate VLANs, and the
ports on the DD-WRT effectively can become separate layer-3 switches
by doing this. With some creative config you could build a network
that was segregated as you described... if you're interested in
implementing this post back to the list... I use DD-WRT at the house
myself and maybe I can help

The only other way of doing this would be to setup something such as
Snort and have Snort listen on each port of the DD-WRT and do active
IDS, where traffic that was deemed "bad" would have a TCP reset
inserted into the session streams on each side of the TCP
connection... but I think that's a bit much to ask of the poor little
WRT54G's resources

By the way I have several WRT54Gs running DD-WRT and they work
great... I've never had a problem with them

--
Eric
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Is it possible to control access between clients on same LAN with a firewall? William Fitzgerald (Jan 25)
- Re: Is it possible to control access between clients on same LAN with a firewall? arvind doraiswamy (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Eric Gearhart (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Mark (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Paul Melson (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? K K (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? Will Brickles (Jan 27)
- Message not available
  - Re: Is it possible to control access between clients on same LAN with a firewall? William Fitzgerald (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? Paul D. Robertson (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? pkc_mls (Jan 28)