[LARTC] block ethernet IPv4 traffic

Mon, 19 Jul 2004 15:26:56 +0200

Anton Glinkov wrote:
>>Anton Glinkov wrote:
>>
>>
>>>On Mon, July 19, 2004 15:25, Ed Wildgoose said:
>>>
>>>
>>>>>the bridge thing is not possible.. the network is too big.. 300
>>>>>machines..
>>>>>with over 30 switches (only one of them is manageable) :(
>>>>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.=

>>>>>The only solution I thought of was to have a linux machine in this L=
AN
>>>>>that has all the possible IP addresses set on its interface.
>>>>>
>>>>>
>>>>
>>>>Look, we can't help you until you explain the problem
>>>>
>>>>WHY is it not possible to have a bridge?  This only requires two netw=
ork
>>>>cards?
>>>
>>>
>>>I want to block the traffic between _ANY_ 2 of the machines in the
>>>network.
>>
>>How about giving them a netmask of /32 instead of /24 (or whatever you
>>have) so that they only see themselves in the same network and then
>>giving them a static route to the default gw (since it is outside of th=
e
>>/32).
>>
>>Then you can block all inter-client traffic at that single default
>>gateway (or one hop "in front" of it, seen from the clients)
>>
>=20
>=20
> I don't have access to those machines :-)
> they use internet via different ehternet protocol (PPPoE)

If you don't have access to those machines, you need to do "something"=20
where you have access which presumeably is at the switches. But that=20
means you either need to replace those with smart ones (which can also=20
be a linux box with many nics or multi-port nics) or basically put a=20
linux box with 2 nics in between the cable from the client and the=20
switch port. Either way, it's not gonna be cheap and possibly isn't=20
feasible at all. I see no easier solution if you cannot control/trust=20
the client systems.

--=20

C U

      - -- ---- ----- -----/\/  Ren=E9 Gallati  \/\---- ----- --- -- -