Re: Is it possible to control access between clients on same LAN with a firewall?

["Mark" <firewalladmin () bellsouth net>]

Will:

The issue here is that computers on the same LAN do not forward packets to
the default gateway (your firewall), but use ARP and layer 2 to communicate.
The firewall never even pays attention to this traffic. The fact that the
firewall and switch are occupying the same physical device (your WRT54G)
makes no nevermind (as we say in the south). Even if you could make your
firewall filter the traffic, in essence you would be creating a situation
where your packets do a U-turn at the firewall, (I believe there is a term
for this, something like inter-LAN forwarding) which is not a good idea IMO
and can open you up to spoofing attacks from the outside. 

As you surmised, the best way to restrict traffic on the same LAN is via
personal firewalls. However, there are other (usually more complicated)
ways. IPSec filtering is one option, linux has used solutions like TCP
Wrappers and miscellaneous config files for specific services like FTP,
Apache, ssh, etc.

This is just my 2 cents. Hopefully some of the more seasoned veterans on
this list can give you a better answer. 

V/R

Mark

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of William
Fitzgerald
Sent: Monday, January 25, 2010 11:22 AM
To: firewall-wizards () listserv cybertrust com
Subject: [fw-wiz] Is it possible to control access between clients on same
LAN with a firewall?

Dear all,

I was just wondering how people control access amongst machines on the 
same subnet (LAN) that are protected by the same firewall.

In my case, the firewall is a home router (WRT54G) running DD-WRT, so 
iptables is the firewall there.

Presumably as with all firewalls, once a packet is not being sent to the 
firewall itself or forwarded through the firewall towards another 
network, the firewall will not protect machines behind the firewall from 
each other. Perhaps as a result of the built-in switch, packets don't 
get up to layer 3 and so the firewall is oblivious to inter-LAN packet 
traffic.

It would be nice to be able to restrict some LAN clients from talking to 
each other, perhaps by layer 3 filtering. For example, it may make sense 
to prohibit the network printer from talking to a web server and vice versa.

Is there away to force/make it easier for the firewall to inspect 
inter-LAN packets. Perhaps examining packets at layer 2 could capture this.

I understand that one solution would be to install a local firewall on 
each machine.

This is just a general question, so that I might better understand the 
area of "inter-LAN" protection.

While it may be possible to have a firewall to not just protect traffic 
from Internet to LAN and LAN to Internet but also LAN to LAN, it may not 
be a practical thing to do.

Any comments or insights are welcomed.

regards,
Will.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards