[fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

Dear all,

I was just wondering how people control access amongst machines on the same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the firewall itself or forwarded through the firewall towards another network, the firewall will not protect machines behind the firewall from each other. Perhaps as a result of the built-in switch, packets don't get up to layer 3 and so the firewall is oblivious to inter-LAN packet traffic.

It would be nice to be able to restrict some LAN clients from talking to each other, perhaps by layer 3 filtering. For example, it may make sense to prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect inter-LAN packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on each machine.

This is just a general question, so that I might better understand the area of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic from Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a practical thing to do.

Any comments or insights are welcomed.

firewall-wizards mailing list

Relevant Pages

  • Re: iptables configuration
    ... I have a RH firewall setup to protect my LAN, ...
  • Re: Hardware router with firewall - how to configure?
    ... > 1) is the buil-in firewall enough to make my LAN safe? ... Outbound filter applies on all outbound packets. ... so on your end it appears that these are incoming. ...
  • Re: How save is a Windows PC on a Linux network.
    ... firewall between the dialup and the internal lan. ... Being of sound mind and body, I never surf with the Windows machine and ... Assuming you trust your firewall, and you know what's running on the ... I have to have it on the lan to access the Linux servers but sometimes it ...
  • Re: OWA
    ... 'Thats good news at least about the firewall. ... Tried them both earlier and same error message - 403. ... get ths same error message in and outside of the LAN? ...
  • Re: Firewalls
    ... firewall, such as Sygate or ZoneAlarm, that can detect and warn the ... not scan for or protect you from adware/spyware, because, after all, ... manually install some malware that could then spread throughout the ... LAN via shared drives. ...