Security Basics mailing list archives
RE: firewall on the same segment
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 10 Sep 2003 13:26:06 -0700
Traffic that doesn't have to cross the firewall cannot be blocked by the firewall. There are two basic ways to solve this: 1. Some(!) firewall products can be configured as bridges (layer 2) rather than routers (layer 3). This lets you put some hosts behind the firewall without having to put them on a different subnet. The firewall you have may or may not support this option. 2. Move the hosts to a new subnet behind the firewall, and set up "static NAT" rules on the firewall that map the publicized IP addresses to the private NATted ones. This can be done with >90% of the firewall products I've ever seen. (Several firewalls offer a way to offer access only to users who successfully authenticate to the firewall or some additional server such as TACACS+ or RADIUS. Once your topology works, I think this is the remaining piece of your puzzle.) David Gillett
-----Original Message----- From: Fernando Serto [mailto:fernando.serto () memetrics com] Sent: September 9, 2003 23:08 To: security-basics () securityfocus com Subject: firewall on the same segment hi, I always installed firewalls to prevent access from internet to the internal network, or from one network to another, but I was asked to install a firewall ON the LAN, to deny access to a few boxes. for example, the network address is 192.168.100.0/24, firewall's ip is 192.168.100.1 and I need to block access to a specific server which ip is 192.168.100.3. I have to allow access only to a few users to this server. Is it possible to deploy using iptables? On this company, they're using fwbuilder to administer the firewall, I tried to block access from 192.168.100.4 to 192.168.100.3, but I couldn't... I can only deny access to the ips configured in the firewall. Thanks in advance. Cheers, Fernando --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.506 / Virus Database: 303 - Release Date: 1/08/2003 -------------------------------------------------------------- ------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- firewall on the same segment Fernando Serto (Sep 10)
- Re: firewall on the same segment irado furioso com tudo (Sep 10)
- Re: firewall on the same segment Sebastian Schneider (Sep 10)
- Re: firewall on the same segment Dana Epp (Sep 10)
- Re: firewall on the same segment Preston Newton (Sep 10)
- Re: firewall on the same segment Ansgar Wiechers (Sep 10)
- RE: firewall on the same segment David Gillett (Sep 10)
- Re: firewall on the same segment Gabriel Orozco (Sep 10)
- <Possible follow-ups>
- RE: firewall on the same segment LordInfidel (Sep 10)