/32 subnet

[Damjan]

> >But an iptables rule does the same thing, no?
> 
> Not exactly: you may need it, but it's not enough. Here's an example:  
> you have a switched network, without any fancy features on the switch;  
> some clients; one Linux gateway with iptables and Chillispot, and an  
> iptables rule dropping client-to-client traffic.
> 
> In a classical setup, each client will get the same subnet. Therefore,  
> when an application tries to reach another client, the IP stack will  
> not forward the packet to the gateway, but directly to the other  
> client. Iptables cannot do anything: it is not involved in this  
> exchange.

right, but the /32 trick can be so easilly bypassed it's not real
security at all. If your L2 domain is not separated, you can't do
anything.

BTW, at least some Ubuntu versions with Avahi installed, would also add
169.254.0.0/16 alias address to the interface and announce itself to the
network. Without L2 separation (on APs and switches) the users will
still see each other *automatically* even with that /32 trick.



-- 
damjan | дамјан
This is my jabber ID -->         damjan at bagra.net.mk 
 -- not my mail address, it's a Jabber ID --^ :)