Re: [LARTC] block ethernet IPv4 traffic

Re: [LARTC] block ethernet IPv4 traffic

[Anton Glinkov]

On Mon, July 19, 2004 15:04, Ed Wildgoose said:
>
>>I want to block the IP traffic between any 2 hosts on a switched ethernet
>>LAN. Will setting all the possible IP addresses on a linux machine in the
>>LAN do the trick or there is another easier solution?
>>
>>
>
> You need to arrange to have the linux machine running as that switch,
> which is unlikely to be practical.
>
> See if your switch has such options (if it's a high end device).
> Otherwise your best option is to segregate the two LAN's and then route
> or bridge between then, the linux box will do filtering in the middle.
>
> You haven't said what you are trying to achieve, so it's hard to offer
> better suggestions
>
the bridge thing is not possible.. the network is too big.. 300 machines..
with over 30 switches (only one of them is manageable) :(
Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
The only solution I thought of was to have a linux machine in this LAN
that has all the possible IP addresses set on its interface.

-- 
Anton Glinkov
network administrator

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Ed Wildgoose]

>the bridge thing is not possible.. the network is too big.. 300 machines..
>with over 30 switches (only one of them is manageable) :(
>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
>The only solution I thought of was to have a linux machine in this LAN
>that has all the possible IP addresses set on its interface.
>  
>

Look, we can't help you until you explain the problem

WHY is it not possible to have a bridge?  This only requires two network 
cards?
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Anton Glinkov]

On Mon, July 19, 2004 15:25, Ed Wildgoose said:
>
>
>>the bridge thing is not possible.. the network is too big.. 300
>> machines..
>>with over 30 switches (only one of them is manageable) :(
>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
>>The only solution I thought of was to have a linux machine in this LAN
>>that has all the possible IP addresses set on its interface.
>>
>>
>
> Look, we can't help you until you explain the problem
>
> WHY is it not possible to have a bridge?  This only requires two network
> cards?

I want to block the traffic between _ANY_ 2 of the machines in the network.

-- 
Anton Glinkov
network administrator

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Rene Gallati]

Anton Glinkov wrote:

> On Mon, July 19, 2004 15:25, Ed Wildgoose said:
> 
>>
>>>the bridge thing is not possible.. the network is too big.. 300
>>>machines..
>>>with over 30 switches (only one of them is manageable) :(
>>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
>>>The only solution I thought of was to have a linux machine in this LAN
>>>that has all the possible IP addresses set on its interface.
>>>
>>>
>>
>>Look, we can't help you until you explain the problem
>>
>>WHY is it not possible to have a bridge?  This only requires two network
>>cards?
> 
> 
> I want to block the traffic between _ANY_ 2 of the machines in the network.

How about giving them a netmask of /32 instead of /24 (or whatever you 
have) so that they only see themselves in the same network and then 
giving them a static route to the default gw (since it is outside of the 
/32).

Then you can block all inter-client traffic at that single default 
gateway (or one hop "in front" of it, seen from the clients)


-- 

C U

      - -- ---- ----- -----/\/  René Gallati  \/\---- ----- --- -- -
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Anton Glinkov]

> Anton Glinkov wrote:
>
>> On Mon, July 19, 2004 15:25, Ed Wildgoose said:
>>
>>>
>>>>the bridge thing is not possible.. the network is too big.. 300
>>>>machines..
>>>>with over 30 switches (only one of them is manageable) :(
>>>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
>>>>The only solution I thought of was to have a linux machine in this LAN
>>>>that has all the possible IP addresses set on its interface.
>>>>
>>>>
>>>
>>>Look, we can't help you until you explain the problem
>>>
>>>WHY is it not possible to have a bridge?  This only requires two network
>>>cards?
>>
>>
>> I want to block the traffic between _ANY_ 2 of the machines in the
>> network.
>
> How about giving them a netmask of /32 instead of /24 (or whatever you
> have) so that they only see themselves in the same network and then
> giving them a static route to the default gw (since it is outside of the
> /32).
>
> Then you can block all inter-client traffic at that single default
> gateway (or one hop "in front" of it, seen from the clients)
>

I don't have access to those machines :-)
they use internet via different ehternet protocol (PPPoE)


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Lawrence MacIntyre]

This will work as long as none of the clients are clued enough to add 
host routes or alias addresses.

Rene Gallati wrote:
> Anton Glinkov wrote:
> 
>> On Mon, July 19, 2004 15:25, Ed Wildgoose said:
>>
>>>
>>>> the bridge thing is not possible.. the network is too big.. 300
>>>> machines..
>>>> with over 30 switches (only one of them is manageable) :(
>>>> Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
>>>> The only solution I thought of was to have a linux machine in this LAN
>>>> that has all the possible IP addresses set on its interface.
>>>>
>>>>
>>>
>>> Look, we can't help you until you explain the problem
>>>
>>> WHY is it not possible to have a bridge?  This only requires two network
>>> cards?
>>
>>
>>
>> I want to block the traffic between _ANY_ 2 of the machines in the 
>> network.
> 
> 
> How about giving them a netmask of /32 instead of /24 (or whatever you 
> have) so that they only see themselves in the same network and then 
> giving them a static route to the default gw (since it is outside of the 
> /32).
> 
> Then you can block all inter-client traffic at that single default 
> gateway (or one hop "in front" of it, seen from the clients)
> 
> 

-- 
     Lawrence MacIntyre     865.574.8696     lpz@ornl.gov
                Oak Ridge National Laboratory
High Performance Information Infrastructure Technology Group
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Rene Gallati]

Anton Glinkov wrote:
>>Anton Glinkov wrote:
>>
>>
>>>On Mon, July 19, 2004 15:25, Ed Wildgoose said:
>>>
>>>
>>>>>the bridge thing is not possible.. the network is too big.. 300
>>>>>machines..
>>>>>with over 30 switches (only one of them is manageable) :(
>>>>>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
>>>>>The only solution I thought of was to have a linux machine in this LAN
>>>>>that has all the possible IP addresses set on its interface.
>>>>>
>>>>>
>>>>
>>>>Look, we can't help you until you explain the problem
>>>>
>>>>WHY is it not possible to have a bridge?  This only requires two network
>>>>cards?
>>>
>>>
>>>I want to block the traffic between _ANY_ 2 of the machines in the
>>>network.
>>
>>How about giving them a netmask of /32 instead of /24 (or whatever you
>>have) so that they only see themselves in the same network and then
>>giving them a static route to the default gw (since it is outside of the
>>/32).
>>
>>Then you can block all inter-client traffic at that single default
>>gateway (or one hop "in front" of it, seen from the clients)
>>
> 
> 
> I don't have access to those machines :-)
> they use internet via different ehternet protocol (PPPoE)

If you don't have access to those machines, you need to do "something" 
where you have access which presumeably is at the switches. But that 
means you either need to replace those with smart ones (which can also 
be a linux box with many nics or multi-port nics) or basically put a 
linux box with 2 nics in between the cable from the client and the 
switch port. Either way, it's not gonna be cheap and possibly isn't 
feasible at all. I see no easier solution if you cannot control/trust 
the client systems.

-- 

C U

      - -- ---- ----- -----/\/  René Gallati  \/\---- ----- --- -- -
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Rene Gallati]

Lawrence MacIntyre wrote:

> This will work as long as none of the clients are clued enough to add 
> host routes or alias addresses.

Yes, I assumed he were the admin of the site in question. If the clients 
have full control over their systems then this is a no-go.

Some linux boxes with bridges and bridge_filter might do the trick but 
he'd need to put one of those basically in front of each switch port.

I don't see an easy way to solve the problem.

> 
> Rene Gallati wrote:
> 
>> Anton Glinkov wrote:
>>
>>> On Mon, July 19, 2004 15:25, Ed Wildgoose said:
>>>
>>>>
>>>>> the bridge thing is not possible.. the network is too big.. 300
>>>>> machines..
>>>>> with over 30 switches (only one of them is manageable) :(
>>>>> Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
>>>>> The only solution I thought of was to have a linux machine in this LAN
>>>>> that has all the possible IP addresses set on its interface.
>>>>>
>>>>>
>>>>
>>>> Look, we can't help you until you explain the problem
>>>>
>>>> WHY is it not possible to have a bridge?  This only requires two 
>>>> network
>>>> cards?
>>>
>>>
>>>
>>>
>>> I want to block the traffic between _ANY_ 2 of the machines in the 
>>> network.
>>
>>
>>
>> How about giving them a netmask of /32 instead of /24 (or whatever you 
>> have) so that they only see themselves in the same network and then 
>> giving them a static route to the default gw (since it is outside of 
>> the /32).
>>
>> Then you can block all inter-client traffic at that single default 
>> gateway (or one hop "in front" of it, seen from the clients)
>>
>>
> 

-- 

C U

      - -- ---- ----- -----/\/  René Gallati  \/\---- ----- --- -- -
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Ed Wildgoose]

>Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
>  
>

Go on then, I'll bite.  Why do you want to do this at all?
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] block ethernet IPv4 traffic

[Paul]

What about vlans?  Every machine on a separate vlan.  Easy enough if you
have access to the network

On Mon, 2004-07-19 at 09:03, Lawrence MacIntyre wrote:
> This will work as long as none of the clients are clued enough to add 
> host routes or alias addresses.
> 
> Rene Gallati wrote:
> > Anton Glinkov wrote:
> > 
> >> On Mon, July 19, 2004 15:25, Ed Wildgoose said:
> >>
> >>>
> >>>> the bridge thing is not possible.. the network is too big.. 300
> >>>> machines..
> >>>> with over 30 switches (only one of them is manageable) :(
> >>>> Basically I want to deny ethertype 0800 (IPv4) packets for that LAN.
> >>>> The only solution I thought of was to have a linux machine in this LAN
> >>>> that has all the possible IP addresses set on its interface.
> >>>>
> >>>>
> >>>
> >>> Look, we can't help you until you explain the problem
> >>>
> >>> WHY is it not possible to have a bridge?  This only requires two network
> >>> cards?
> >>
> >>
> >>
> >> I want to block the traffic between _ANY_ 2 of the machines in the 
> >> network.
> > 
> > 
> > How about giving them a netmask of /32 instead of /24 (or whatever you 
> > have) so that they only see themselves in the same network and then 
> > giving them a static route to the default gw (since it is outside of the 
> > /32).
> > 
> > Then you can block all inter-client traffic at that single default 
> > gateway (or one hop "in front" of it, seen from the clients)
> > 
> > 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/