From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rene Gallati Date: Mon, 19 Jul 2004 13:26:56 +0000 Subject: Re: [LARTC] block ethernet IPv4 traffic Message-Id: <40FBCC20.8080802@draxinusom.ch> List-Id: References: <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> In-Reply-To: <39685.217.79.71.234.1090239494.squirrel@217.79.71.234> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Anton Glinkov wrote: >>Anton Glinkov wrote: >> >> >>>On Mon, July 19, 2004 15:25, Ed Wildgoose said: >>> >>> >>>>>the bridge thing is not possible.. the network is too big.. 300 >>>>>machines.. >>>>>with over 30 switches (only one of them is manageable) :( >>>>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN. >>>>>The only solution I thought of was to have a linux machine in this LAN >>>>>that has all the possible IP addresses set on its interface. >>>>> >>>>> >>>> >>>>Look, we can't help you until you explain the problem >>>> >>>>WHY is it not possible to have a bridge? This only requires two network >>>>cards? >>> >>> >>>I want to block the traffic between _ANY_ 2 of the machines in the >>>network. >> >>How about giving them a netmask of /32 instead of /24 (or whatever you >>have) so that they only see themselves in the same network and then >>giving them a static route to the default gw (since it is outside of the >>/32). >> >>Then you can block all inter-client traffic at that single default >>gateway (or one hop "in front" of it, seen from the clients) >> >=20 >=20 > I don't have access to those machines :-) > they use internet via different ehternet protocol (PPPoE) If you don't have access to those machines, you need to do "something"=20 where you have access which presumeably is at the switches. But that=20 means you either need to replace those with smart ones (which can also=20 be a linux box with many nics or multi-port nics) or basically put a=20 linux box with 2 nics in between the cable from the client and the=20 switch port. Either way, it's not gonna be cheap and possibly isn't=20 feasible at all. I see no easier solution if you cannot control/trust=20 the client systems. --=20 C U - -- ---- ----- -----/\/ Ren=E9 Gallati \/\---- ----- --- -- - _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/