Re: Is it possible to control access between clients on same LAN with a firewall?

[Paul Melson <pmelson () gmail com>]

On Mon, Jan 25, 2010 at 11:21 AM, William Fitzgerald
<wfitzgerald () 4c ucc ie> wrote:
> I was just wondering how people control access amongst machines on the same
> subnet (LAN) that are protected by the same firewall.
>
> In my case, the firewall is a home router (WRT54G) running DD-WRT, so
> iptables is the firewall there.

With DD-WRT you can assign a different VLAN to each interface of the
router and then use iptables rules to manage traffic between devices.
This requires either a high degree of customization of your router or
the use of static IP addressing on some of the VLANs.  Which for a
home network may not be so bad.  Keep in mind that if you uplink other
switches to the router that the firewall cannot protect two devices
connected to that switch from each other.  This also applies to
wireless devices connected to the router.

The way I would solve this problem in a larger network would be to use
the switching infrastructure to force communication to the router
(firewall) and not allow local subnet communication.  Cisco calls this
Private VLANs, and they are great for use on DMZ networks where its
important that communication between hosts on that network be
restricted and monitored.  More on that here:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards