[LARTC] block ethernet IPv4 traffic

Mon, 19 Jul 2004 15:27:04 +0200

Lawrence MacIntyre wrote:

> This will work as long as none of the clients are clued enough to add=20
> host routes or alias addresses.

Yes, I assumed he were the admin of the site in question. If the clients =

have full control over their systems then this is a no-go.

Some linux boxes with bridges and bridge_filter might do the trick but=20
he'd need to put one of those basically in front of each switch port.

I don't see an easy way to solve the problem.

>=20
> Rene Gallati wrote:
>=20
>> Anton Glinkov wrote:
>>
>>> On Mon, July 19, 2004 15:25, Ed Wildgoose said:
>>>
>>>>
>>>>> the bridge thing is not possible.. the network is too big.. 300
>>>>> machines..
>>>>> with over 30 switches (only one of them is manageable) :(
>>>>> Basically I want to deny ethertype 0800 (IPv4) packets for that LAN=
=2E
>>>>> The only solution I thought of was to have a linux machine in this =
LAN
>>>>> that has all the possible IP addresses set on its interface.
>>>>>
>>>>>
>>>>
>>>> Look, we can't help you until you explain the problem
>>>>
>>>> WHY is it not possible to have a bridge?  This only requires two=20
>>>> network
>>>> cards?
>>>
>>>
>>>
>>>
>>> I want to block the traffic between _ANY_ 2 of the machines in the=20
>>> network.
>>
>>
>>
>> How about giving them a netmask of /32 instead of /24 (or whatever you=
=20
>> have) so that they only see themselves in the same network and then=20
>> giving them a static route to the default gw (since it is outside of=20
>> the /32).
>>
>> Then you can block all inter-client traffic at that single default=20
>> gateway (or one hop "in front" of it, seen from the clients)
>>
>>
>=20

--=20

C U

      - -- ---- ----- -----/\/  Ren=E9 Gallati  \/\---- ----- --- -- -