/32 subnet

Emanuele Pucciarelli ep at acm.org
Thu Feb 5 20:06:24 UTC 2009


Il giorno 05/feb/09, alle ore 20:34, Damjan ha scritto:

>> Where this is not an option, I think that L3 separation is a very
>> welcome addition to avoid accidental communication, from random
>> browsing to subnet-sweeping malware :)
>
> But an iptables rule does the same thing, no?

Not exactly: you may need it, but it's not enough. Here's an example:  
you have a switched network, without any fancy features on the switch;  
some clients; one Linux gateway with iptables and Chillispot, and an  
iptables rule dropping client-to-client traffic.

In a classical setup, each client will get the same subnet. Therefore,  
when an application tries to reach another client, the IP stack will  
not forward the packet to the gateway, but directly to the other  
client. Iptables cannot do anything: it is not involved in this  
exchange.

With L3 separation, the client's IP stack. even if it becomes aware of  
the other clients' IP addresses, will believe that they are an a  
different subnet. If an application tries to reach another client,  
whatever the reason, the IP stack will forward the packet to the  
gateway, where iptables can drop it altogether.

(Again – this does not provide "strong" security, because an  
application accessing raw sockets can bypass this limitation, but it's  
definitely helpful!)

Bye!

-- 
Emanuele




More information about the Chilli mailing list