Security Basics mailing list archives

RE: firewall on the same segment

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 10 Sep 2003 13:26:06 -0700

  Traffic that doesn't have to cross the firewall cannot be
blocked by the firewall.

  There are two basic ways to solve this:

1.  Some(!) firewall products can be configured as bridges
(layer 2) rather than routers (layer 3).  This lets you put
some hosts behind the firewall without having to put them on
a different subnet.  The firewall you have may or may not 
support this option.

2.  Move the hosts to a new subnet behind the firewall, and 
set up "static NAT" rules on the firewall that map the
publicized IP addresses to the private NATted ones.  This
can be done with >90% of the firewall products I've ever 
seen.

  (Several firewalls offer a way to offer access only to 
users who successfully authenticate to the firewall or some
additional server such as TACACS+ or RADIUS.  Once your 
topology works, I think this is the remaining piece of your
puzzle.)

David Gillett

-----Original Message-----
From: Fernando Serto [mailto:fernando.serto () memetrics com]
Sent: September 9, 2003 23:08
To: security-basics () securityfocus com
Subject: firewall on the same segment

hi,

I always installed firewalls to prevent access from internet 
to the internal
network, or from one network to another, but I was asked to install a
firewall ON the LAN, to deny access to a few boxes. for 
example, the network
address is 192.168.100.0/24, firewall's ip is 192.168.100.1 
and I need to
block access to a specific server which ip is 192.168.100.3. 
I have to allow
access only to a few users to this server. Is it possible to 
deploy using
iptables? On this company, they're using fwbuilder to administer the
firewall, I tried to block access from 192.168.100.4 to 
192.168.100.3, but I
couldn't... I can only deny access to the ips configured in 
the firewall.

Thanks in advance.

Cheers,
Fernando

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.506 / Virus Database: 303 - Release Date: 1/08/2003

--------------------------------------------------------------
-------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

Current thread:

firewall on the same segment Fernando Serto (Sep 10)
- Re: firewall on the same segment irado furioso com tudo (Sep 10)
- Re: firewall on the same segment Sebastian Schneider (Sep 10)
- Re: firewall on the same segment Dana Epp (Sep 10)
- Re: firewall on the same segment Preston Newton (Sep 10)
- Re: firewall on the same segment Ansgar Wiechers (Sep 10)
- RE: firewall on the same segment David Gillett (Sep 10)
- Re: firewall on the same segment Gabriel Orozco (Sep 10)
- <Possible follow-ups>
- RE: firewall on the same segment LordInfidel (Sep 10)