Re: Beginner Question on restricting traffic within the same subnet.

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

paddy joesoap a écrit :
> 
> I need to do some reading here. So thanks for this. But once I form a
> "bridge", I can then apply standard iptables rules, right? Will it
> only inspect packets at layer 2 and not layer 3,4 and 7? Again, I
> better read about the area before posing such questions.

If enabled, bridge-nf extracts the IP packet from the ethernet frame
payload and passes it to iptables. iptables rules inspect the IP packet
as usual, except that -i|-o match the bridge name and --physdev-in|out
match the bridge physical interfaces.

If you only need to do basic filtering based on interfaces or IP
addresses, you can simply do it with ebtables. bridge-nf and iptables
are useful for more advanced IP filtering that ebtables cannot do.

Information about bridge-nf aka bridge-netfilter is available in the
documentation section of <http://ebtables.sourceforge.net/>.

>>> Internal Machines 1,2 and 3 are on the same subnet governed by the
>>> netfilter firewall.
>>>                                    ---------- Machine1
>>> Internet ------ Netfilter Firewall ---------- Machine2
>>>                                    ---------- Machine3
>>
>> Does the Firewall bridge Machine1-3 together (and thus have a separate
>> ethernet interface for each one) or is there an ethernet switch between
>> them ? A switch won't pass the traffic between Machine1-3 to the Firewall.
> 
> I was thinking of a typical SOHO router (combined switch, routing, nat
> and firewall) or a simple standalone linux box that has a switch (even
> outdated hub!) connected to it and then the 3 machines on the far side
> of the switch.

With a SOHO router, it depends on how the built-in switch works. If each
ethernet port is or can be set as a separate interface (possibly through
the use of VLANs), then you can build a Linux bridge and inspect bridged
traffic with ebtables or bridge-nf + iptables. Otherwise, a plain
switch, either built-in or external) won't allow you to inspect LAN
traffic. Traffic between two machines will just flow through the switch
without hitting the firewall.

> This is currently just a hypothetical question.
> 
> I presumed that given a firewall can examine packets from the internal
> network outbound, that it can also examine packets that are never
> routed externally.
[...]
> Now, I know I can install netfilter locally on the server and even TCP
> wrapper but I am interested to know from a security in depth point of
> view, if a firewall also control access amongst machines/systems on
> the same network? (filter by ip addresses on the same subnet. I
> presume the firewall machine needs also be a router).

A firewall can only inspect packets that pass through it. If it is
connected to a port of a switch, it won't see the traffic of the other
ports. The switch is the only one that can see and inspect the traffic.
A Linux bridge is just that : a software switch with filtering capabilities.