/32 subnet

Marco Simioni m.simioni at gmail.com
Wed Feb 4 10:21:41 UTC 2009


Hi,

good job, but i think these kind of security measures have to be
implemented at lower layer (layer 2).

I mean, we usually achieve this task the following ways:

- we use ethernet switches with Private VLAN feature (this allow
separation of traffic between the host ports) (see
http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=3 for
examples, but also cheaper switches implements this)

- we use access points that has the option "Deny clients
communication" (this deny communications between wireless hosts)

With your method i think that a client can always work at layer 2 (arp
scanning and so on) to see the other clients.

Anyway, i will be pleased to test it in the next weeks.

Regards, aNt1X


2009/2/4 Thomas Liske <liske at ibh.de>:
> Hi,
>
> the basic idea behind the attached patch is the following:
>
> On a hotspot, normaly you don't want to allow client to client communication
> (everybody should have access to the internet and be somehow protected from
> other hotspot users) - especially for the windows dhows.
>
> This patch adds a new configuration option "noc2c" (no client 2 client
> communcation). With this option enabled, the DHCP offers supplies a /32
> netmask. Doing this would prevent any hotspot client to communcate with
> anybody, even the default gateway. Therefore it adds a static route for the
> default gw as an connected route. This prevents (windows) clients doing any
> broadcasts on the hotspot network and reach any other hotspot client
> (default gateway must not route any pakets coming from a hotspot client to
> any other hotspot client). It would be great if somebody could test it with
> additional clients, Win XP works as expected.
>
> Any comments on the patch are welcome ;)
>
>
> Regards,
> Thomas
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>



More information about the Chilli mailing list