Firewall Wizards mailing list archives
Re: Is it possible to control access between clients on same LAN with a firewall?
From: Eric Gearhart <eric () nixwizard net>
Date: Tue, 26 Jan 2010 20:47:30 -0700
On Mon, Jan 25, 2010 at 9:21 AM, William Fitzgerald <wfitzgerald () 4c ucc ie> wrote:
I was just wondering how people control access amongst machines on the same subnet (LAN) that are protected by the same firewall. In my case, the firewall is a home router (WRT54G) running DD-WRT, so iptables is the firewall there. Presumably as with all firewalls, once a packet is not being sent to the firewall itself or forwarded through the firewall towards another network, the firewall will not protect machines behind the firewall from each other. Perhaps as a result of the built-in switch, packets don't get up to layer 3 and so the firewall is oblivious to inter-LAN packet traffic. It would be nice to be able to restrict some LAN clients from talking to each other, perhaps by layer 3 filtering. For example, it may make sense to prohibit the network printer from talking to a web server and vice versa.
You sound like you might already know this, but I may as well summarize it for the audience. Normally in "production networks" you separate different servers on a network based on their purpose... for example, application servers go into an "application VLAN," database servers go into a "database VLAN," and publicly accessible servers go in their own separate DMZ (preferably they also hang off their own separate "DMZ" firewall appliance as well...) I know that's a lot of "overarchitecting" for what you need, but your DD-WRT does support breaking interfaces into separate VLANs, and the ports on the DD-WRT effectively can become separate layer-3 switches by doing this. With some creative config you could build a network that was segregated as you described... if you're interested in implementing this post back to the list... I use DD-WRT at the house myself and maybe I can help The only other way of doing this would be to setup something such as Snort and have Snort listen on each port of the DD-WRT and do active IDS, where traffic that was deemed "bad" would have a TCP reset inserted into the session streams on each side of the TCP connection... but I think that's a bit much to ask of the poor little WRT54G's resources By the way I have several WRT54Gs running DD-WRT and they work great... I've never had a problem with them -- Eric _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Is it possible to control access between clients on same LAN with a firewall? William Fitzgerald (Jan 25)
- Re: Is it possible to control access between clients on same LAN with a firewall? arvind doraiswamy (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Eric Gearhart (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Mark (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? Paul Melson (Jan 26)
- Re: Is it possible to control access between clients on same LAN with a firewall? K K (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? Will Brickles (Jan 27)
- Message not available
- Re: Is it possible to control access between clients on same LAN with a firewall? William Fitzgerald (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? Paul D. Robertson (Jan 27)
- Re: Is it possible to control access between clients on same LAN with a firewall? pkc_mls (Jan 28)