Re: [fw-wiz] Is it possible to control access between clients on same LAN with a firewall?

On Mon, 25 Jan 2010, William Fitzgerald wrote:

Dear all,

I was just wondering how people control access amongst machines on the
same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so
iptables is the firewall there.

I'm going to give you the non-firewall, imperfect but quick and easy
solution because with my quick reading of the postings I've approved, I
didn't see anyone suggest it yet- and it works no matter what you're using
as a router, assuming that it operations normally, and someone hasn't been
too clever in making it work...

Supernet the router, so use something like say as
the "internal" network on the router. From here, you'll either need
relatively smart devices where you can assign routes, virtual addresses on
the internal router interface if you've got more than one "dumb" device.
Let's say we're going to assign the router

Now, let's assume 2 computers, a printer and a WII...

Give the desktop as its subnet and assign it an
address, say Add a static route to the netbook if you need
to share files/printers just putting its address in your routing table as
an interface route. Now add a static interface route to the router's address (something like 'route add host netmask gw en0')

Give the printer as well, as you'll be printing to
it from the desktop. It doesn't need to reach the Internet, so it doesn't
get to route there.

Give your Netbook as its subnet and assign it an
address, say Print through a queue on the desktop if

Give your Wii as it's network and give it an
address in that range. The Wii probably can't add host routes, so it
needs to be on the same subnet as the router.

That's it. It won't stop an attacker who can add routes, but it'll stop
anything automatic, anyone who's dumb and 90% of the network
administrators on the planet from getting from any single device to any
other that's not a "normal" communication.

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: Multiple subnet routing issue from vpn
    ... Then I could disable rras and route that way, ... RRAS or anything else dealing with more than one NIC. ... router for the LAN if required. ... subnet to the other site is doable. ...
  • Re: Multiple subnet routing issue from vpn
    ... If you want a single NIC, which is recommended, go through the motions and ignore the single NIC errors and don't opt for RRAS or anything else dealing with more than one NIC. ... All non-SBS servers can handle routing better, but honestly a Windows server to be used for a router is way overkill in the price and hardware department. ... network and the LAN it is attached to, it is possible to route it through to the other site, but it won't be easy. ... subnet to the other site is doable. ...
  • Re: please advise - problem with routing
    ... and a network is a very important distinction in IP address configuration. ... you show that the subnet has two devices ... ROUTE PRINT on NT4 ... ROUTE PRINT on router ...
  • Re: Win2k3 LAN Routing Questions
    ... all you need to do is enable IP routing on the router. ... If there was no other network involved, you simply make the router the ... pretty straight forward as long as you can add a route to your NAT router. ... This is important because this router needs to know where your new subnet is ...
  • Re: 2 NIC SBS2003R2 LAN/WAN Firewall Router Connection Failure
    ... I changed the SBS external IP settings as you suggest. ... Clients and the SBS Server can reach the router. ... may be there are some rule deny the access from some IP addresses or subnet. ... |> Two Nics, a static IP address, ISA, router ...