Search This Blog

Tuesday, January 26, 2010

firewall-wizards Digest, Vol 45, Issue 10

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Is it possible to control access between clients on same LAN
with a firewall? (William Fitzgerald)


----------------------------------------------------------------------

Message: 1
Date: Mon, 25 Jan 2010 16:21:59 +0000
From: William Fitzgerald <wfitzgerald@4c.ucc.ie>
Subject: [fw-wiz] Is it possible to control access between clients on
same LAN with a firewall?
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <4B5DC527.2060807@4c.ucc.ie>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dear all,

I was just wondering how people control access amongst machines on the
same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so
iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the
firewall itself or forwarded through the firewall towards another
network, the firewall will not protect machines behind the firewall from
each other. Perhaps as a result of the built-in switch, packets don't
get up to layer 3 and so the firewall is oblivious to inter-LAN packet
traffic.

It would be nice to be able to restrict some LAN clients from talking to
each other, perhaps by layer 3 filtering. For example, it may make sense
to prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect
inter-LAN packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on
each machine.

This is just a general question, so that I might better understand the
area of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic
from Internet to LAN and LAN to Internet but also LAN to LAN, it may not
be a practical thing to do.

Any comments or insights are welcomed.

regards,
Will.


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 45, Issue 10
************************************************

No comments: