/32 subnet
wlanmac
wlan at mac.com
Fri Feb 6 06:15:56 UTC 2009
btw, the noc2c option is available now in the svn version. I have been
using it on my network here and all my various client devices have no
problems with it...
David
On Thu, 2009-02-05 at 21:06 +0100, Emanuele Pucciarelli wrote:
> Il giorno 05/feb/09, alle ore 20:34, Damjan ha scritto:
>
> >> Where this is not an option, I think that L3 separation is a very
> >> welcome addition to avoid accidental communication, from random
> >> browsing to subnet-sweeping malware :)
> >
> > But an iptables rule does the same thing, no?
>
> Not exactly: you may need it, but it's not enough. Here's an example:
> you have a switched network, without any fancy features on the switch;
> some clients; one Linux gateway with iptables and Chillispot, and an
> iptables rule dropping client-to-client traffic.
>
> In a classical setup, each client will get the same subnet. Therefore,
> when an application tries to reach another client, the IP stack will
> not forward the packet to the gateway, but directly to the other
> client. Iptables cannot do anything: it is not involved in this
> exchange.
>
> With L3 separation, the client's IP stack. even if it becomes aware of
> the other clients' IP addresses, will believe that they are an a
> different subnet. If an application tries to reach another client,
> whatever the reason, the IP stack will forward the packet to the
> gateway, where iptables can drop it altogether.
>
> (Again – this does not provide "strong" security, because an
> application accessing raw sockets can bypass this limitation, but it's
> definitely helpful!)
>
> Bye!
>
More information about the Chilli
mailing list