/32 subnet

[Gunther Mayer]

Damjan wrote:
>>> But an iptables rule does the same thing, no?
>>>       
>> Not exactly: you may need it, but it's not enough. Here's an example:  
>> you have a switched network, without any fancy features on the switch;  
>> some clients; one Linux gateway with iptables and Chillispot, and an  
>> iptables rule dropping client-to-client traffic.
>>
>> In a classical setup, each client will get the same subnet. Therefore,  
>> when an application tries to reach another client, the IP stack will  
>> not forward the packet to the gateway, but directly to the other  
>> client. Iptables cannot do anything: it is not involved in this  
>> exchange.
>>     
>
> right, but the /32 trick can be so easilly bypassed it's not real
> security at all. If your L2 domain is not separated, you can't do
> anything.
>
> BTW, at least some Ubuntu versions with Avahi installed, would also add
> 169.254.0.0/16 alias address to the interface and announce itself to the
> network. Without L2 separation (on APs and switches) the users will
> still see each other *automatically* even with that /32 trick.
>   

After all the discussion I've seen it seems to me that the noc2c option 
provides just another layer of security, albeit one that may easily be 
circumvented.

If you really want *proper* isolation you'll need a layer 2 firewall 
such as ebtables on all your switching/bridging equipment behind coova, 
i.e. all switches, a/p's etc. that are used to enlarge the coverage of 
your coova hotspot. The core rule would drop everything not destined or 
originating from the gateway (coova).

Gunther
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20090207/d148c3df/attachment.htm>