From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: WiFi Hotspot Disable Neighbor discovery,Ask
Date: Thu, 09 Jul 2020 15:42:02 +1000 [thread overview]
Message-ID: <87sge1xn11.fsf@goll.lan> (raw)
In-Reply-To: alpine.DEB.2.21.2006271231370.13515@piplus.local.jubileegroup.co.uk
"G.W. Haywood" <netfilter@jubileegroup.co.uk> writes:
> Hello again,
>
> On Fri, 26 Jun 2020, Hooman wrote:
>
>> ...
>> not being able to manipulate or drop such packets could be a security
>> issue, since these are packets that you can't really manage through
>> iptables/ebtables (think of firewalls). So I leave it to this community
>> to decide whether netfilter should be able to manage such packets.
>> ...
>
> It is not clear to me that the kernel design permits what you suggest.
>
> Thinking of firewalls, nobody in his right mind would do to a firewall
> what you have done to your computer
FWIW, I do the equivalent in wired networks on Cisco Catalyst
2950/2960/2970 switches. There it is called "port isolation".
It prevents switching between desktops, while
still allowing switching between desktop and servers.
It works the same as if you set up a separate 802.1q tag for each
[a desktop] + [all servers], except you don't have to micro-manage it.
https://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html
specifically this image
https://www.cisco.com/c/dam/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194-a.gif
ap_isolate=1 in hostapd.conf appears to be the equivalent for 802.11.
https://www.w1.fi/cgit/hostap/tree/hostapd/hostapd.conf#n533
I think the OP originally tried to set it in each wifi client,
instead of in the AP:
https://www.w1.fi/cgit/hostap/commit/?id=19e20c14fb015d063dc248a0f4ded195ad229df3
next prev parent reply other threads:[~2020-07-09 5:42 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 10:09 WiFi Hotspot Disable Neighbor discovery,Ask G.W. Haywood
[not found] ` <44cc0842-bd3b-986e-9537-bd11d980e61b@gmail.com>
2020-06-20 21:48 ` Hooman
2020-06-20 23:35 ` G.W. Haywood
2020-06-26 18:07 ` Hooman
2020-06-27 12:01 ` G.W. Haywood
2020-06-27 23:26 ` Hooman Mohajeri
2020-07-09 5:42 ` Trent W. Buck [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-06-16 3:38 Hooman
2020-06-21 2:31 ` Alex Buie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sge1xn11.fsf@goll.lan \
--to=trentbuck@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox