Re: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?



VLAN's on L3 switches is what instantly springs to mind. Alternatively
as you suggest ACL's on the L3 switch itself between all the machines
on that switch is another option.

How about something like this though? Say the LAN is 192.168.0.0/24.
The machines all have their gateway set to 192.168.3.1(switch). Don't
have any routes on the switch apart from a default one pointing to the
firewall which can be on another network (172.16.3.1) - one port on
the switch also on this network(172.16.3.2). So all traffic gets
forced through the firewall instead of being forcefully routed on the
switch itself.Logically this sounds ok to me - I haven't actually
tested this - but it might work.

Arvind

On Mon, Jan 25, 2010 at 9:51 PM, William Fitzgerald
<wfitzgerald@xxxxxxxxx> wrote:
Dear all,

I was just wondering how people control access amongst machines on the same
subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so
iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the
firewall itself or forwarded through the firewall towards another network,
the firewall will not protect machines behind the firewall from each other.
Perhaps as a result of the built-in switch, packets don't get up to layer 3
and so the firewall is oblivious to inter-LAN packet traffic.

It would be nice to be able to restrict some LAN clients from talking to
each other, perhaps by layer 3 filtering. For example, it may make sense to
prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect inter-LAN
packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on each
machine.

This is just a general question, so that I might better understand the area
of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic from
Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a
practical thing to do.

Any comments or insights are welcomed.

regards,
Will.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards