Firewall Wizards mailing list archives
Re: Is it possible to control access between clients on same LAN with a firewall?
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Tue, 26 Jan 2010 11:27:11 +0530
VLAN's on L3 switches is what instantly springs to mind. Alternatively as you suggest ACL's on the L3 switch itself between all the machines on that switch is another option. How about something like this though? Say the LAN is 192.168.0.0/24. The machines all have their gateway set to 192.168.3.1(switch). Don't have any routes on the switch apart from a default one pointing to the firewall which can be on another network (172.16.3.1) - one port on the switch also on this network(172.16.3.2). So all traffic gets forced through the firewall instead of being forcefully routed on the switch itself.Logically this sounds ok to me - I haven't actually tested this - but it might work. Arvind On Mon, Jan 25, 2010 at 9:51 PM, William Fitzgerald <wfitzgerald () 4c ucc ie> wrote:
Dear all, I was just wondering how people control access amongst machines on the same subnet (LAN) that are protected by the same firewall. In my case, the firewall is a home router (WRT54G) running DD-WRT, so iptables is the firewall there. Presumably as with all firewalls, once a packet is not being sent to the firewall itself or forwarded through the firewall towards another network, the firewall will not protect machines behind the firewall from each other. Perhaps as a result of the built-in switch, packets don't get up to layer 3 and so the firewall is oblivious to inter-LAN packet traffic. It would be nice to be able to restrict some LAN clients from talking to each other, perhaps by layer 3 filtering. For example, it may make sense to prohibit the network printer from talking to a web server and vice versa. Is there away to force/make it easier for the firewall to inspect inter-LAN packets. Perhaps examining packets at layer 2 could capture this. I understand that one solution would be to install a local firewall on each machine. This is just a general question, so that I might better understand the area of "inter-LAN" protection. While it may be possible to have a firewall to not just protect traffic from Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a practical thing to do. Any comments or insights are welcomed. regards, Will. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Is it possible to control access between clients on same LAN with a firewall? William Fitzgerald (Jan 25)
- Re: Is it possible to control access between clients on same LAN with a firewall? arvind doraiswamy (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Eric Gearhart (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Mark (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Paul Melson (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? K K (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? Will Brickles (Jan 27)
- Message not available
- Re: Is it possible to control access between clients on same LAN with a firewall? William Fitzgerald (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? Paul D. Robertson (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? pkc_mls (Jan 28)