Security Basics mailing list archives
RE: firewall on the same segment
From: LordInfidel <LordInfidel () Directionweb com>
Date: Wed, 10 Sep 2003 15:55:09 -0400
The problem here is that your users are not going thru the firewall to get to the box. The server is on the same segment as your other hosts. The way you want to accomplish this is to put a 3rd nic in your firewall. Assign it to a different subnet like 192.168.101.0/24. Thus creating a "DMZ", or a 3rd network. It's interface would be let's say 192.168.101.1 (no gw) Put the server on that network. It's IP would be 192.168.101.3/24 gw 192.168.101.1 Now this forces your users to traverse the firewall to get to the server at 192.168.101.3. Now in fwbuidler add another interface under your firewall. Now create 2 groups of hosts. 1 group that is allowed access, and the other group that is to be denied. In your rulest, create 2 rule's 1. that first allows access to the server from the allowed group. 2. that drops connections from the denied group to the server. It's that easy. You do not even need another hub/switch. You can use a crossover cable from the firewall to the server. LordInfidel -----Original Message----- From: Fernando Serto [mailto:fernando.serto () memetrics com] Sent: Wednesday, September 10, 2003 2:08 AM To: security-basics () securityfocus com Subject: firewall on the same segment hi, I always installed firewalls to prevent access from internet to the internal network, or from one network to another, but I was asked to install a firewall ON the LAN, to deny access to a few boxes. for example, the network address is 192.168.100.0/24, firewall's ip is 192.168.100.1 and I need to block access to a specific server which ip is 192.168.100.3. I have to allow access only to a few users to this server. Is it possible to deploy using iptables? On this company, they're using fwbuilder to administer the firewall, I tried to block access from 192.168.100.4 to 192.168.100.3, but I couldn't... I can only deny access to the ips configured in the firewall. Thanks in advance. Cheers, Fernando --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.506 / Virus Database: 303 - Release Date: 1/08/2003 --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- firewall on the same segment Fernando Serto (Sep 10)
- Re: firewall on the same segment irado furioso com tudo (Sep 10)
- Re: firewall on the same segment Sebastian Schneider (Sep 10)
- Re: firewall on the same segment Dana Epp (Sep 10)
- Re: firewall on the same segment Preston Newton (Sep 10)
- Re: firewall on the same segment Ansgar Wiechers (Sep 10)
- RE: firewall on the same segment David Gillett (Sep 10)
- Re: firewall on the same segment Gabriel Orozco (Sep 10)
- <Possible follow-ups>
- RE: firewall on the same segment LordInfidel (Sep 10)