/32 subnet

wlanmac wlan at mac.com
Fri Feb 6 06:15:56 UTC 2009


btw, the noc2c option is available now in the svn version. I have been
using it on my network here and all my various client devices have no
problems with it...

David


On Thu, 2009-02-05 at 21:06 +0100, Emanuele Pucciarelli wrote:
> Il giorno 05/feb/09, alle ore 20:34, Damjan ha scritto:
> 
> >> Where this is not an option, I think that L3 separation is a very
> >> welcome addition to avoid accidental communication, from random
> >> browsing to subnet-sweeping malware :)
> >
> > But an iptables rule does the same thing, no?
> 
> Not exactly: you may need it, but it's not enough. Here's an example:  
> you have a switched network, without any fancy features on the switch;  
> some clients; one Linux gateway with iptables and Chillispot, and an  
> iptables rule dropping client-to-client traffic.
> 
> In a classical setup, each client will get the same subnet. Therefore,  
> when an application tries to reach another client, the IP stack will  
> not forward the packet to the gateway, but directly to the other  
> client. Iptables cannot do anything: it is not involved in this  
> exchange.
> 
> With L3 separation, the client's IP stack. even if it becomes aware of  
> the other clients' IP addresses, will believe that they are an a  
> different subnet. If an application tries to reach another client,  
> whatever the reason, the IP stack will forward the packet to the  
> gateway, where iptables can drop it altogether.
> 
> (Again – this does not provide "strong" security, because an  
> application accessing raw sockets can bypass this limitation, but it's  
> definitely helpful!)
> 
> Bye!
> 




More information about the Chilli mailing list