Re: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?



Using DD-WRT, what comes to mind immediately is to put your devices into separate VLANs and then use iptables to restrict traffic between the VLANs. I don't know how flexible DD-WRT is when it comes to VLANs, but it might be your best bet on such a platform. A configuration guide for VLANs I came across is at http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160 - it sounds as if you are already familiar with iptables.

Using other (much more expensive) platforms, you have other options - for example using private VLANs, protected ports, "transparent" firewalls, etc.

Will Brickles




________________________________
From: William Fitzgerald <wfitzgerald@xxxxxxxxx>
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Sent: Mon, January 25, 2010 9:21:59 AM
Subject: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

Dear all,

I was just wondering how people control access amongst machines on the same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the firewall itself or forwarded through the firewall towards another network, the firewall will not protect machines behind the firewall from each other. Perhaps as a result of the built-in switch, packets don't get up to layer 3 and so the firewall is oblivious to inter-LAN packet traffic.

It would be nice to be able to restrict some LAN clients from talking to each other, perhaps by layer 3 filtering. For example, it may make sense to prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect inter-LAN packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on each machine.

This is just a general question, so that I might better understand the area of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic from Internet to LAN and LAN to Internet but also LAN to LAN, it may not be a practical thing to do.

Any comments or insights are welcomed.

regards,
Will.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • RE: Firewall / Internet Gateway Config Fails
    ... in the address of it's internet address so it can be routed on the net. ... Firewall / Internet Gateway Config Fails ... configured correctly shouldn't the lan clients be able ...
    (RedHat)
  • Re: [SLE] Firewall zones
    ... Looking at the firewall configuration in Yast, ... My network card is assigned its IP address by the router using DHCP. ... It connects to the LAN and to the router; the router in turn talks to the ... All the systems on the LAN are supposed to have the same firewall protection, ...
    (SuSE)
  • Re: Internet Connection Firewall
    ... You actually might want to keep the firewall on in a lan environment. ... TCP 445 - SMB over TCP ... > The built-in firewall is designed to be used only on a direct> connection to the Internet, not on any internal LAN connections. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: RD works on LAN not across Internet
    ... RD works fine within my LAN but not across the ... I turned off Windows Firewall and NIS on all computers. ... >>> settings to fully use DHCP to access the Internet. ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: Firewall / Internet Gateway Config Fails
    ... Firewall / Internet Gateway Config Fails ... all the machines on the lan are already configured to ...
    (RedHat)