Re: Using netmask ffffffff
- From: Keve Nagy <see_my_sig@xxxxxxxxxxxx>
- Date: Fri, 23 Feb 2007 18:11:36 +0100
Hello Everyone,
A warm "thank you" to all of you who joined this thread! Your replies really helped me to get outside of the box my own basic assumptions created around this topic.
In general, I am aware of most the things I received in the replies. But I did realize I wasn't clear enough on what kind of help I exactly expect and what I am planning to use it for, so here is some clarification.
I am not trying to use the /32 mask for my entire network. My internal network already uses the usual /24 - /29 subnets and I am happy with it. I only try to set-up a number of new hosts on the lan, for which I have certain expectations different from the usual machines on the network.
The new machines are "semi-public" workstations, for the use of visitors and temporary (short term) groups (like members of a one day conference).
The most important thing these new hosts need is connection to the outside world, for internet browsing, webmail access, fetch some documents from remote sites they forgot to bring with them for the conference, etc.
As an extra, it would be nice to give them access to some local devices (like printers, scanners, maybe some common diskspace).
Beyound these, the new hosts should not be able to directly contact each-other or the majority (the rest) of my internal network.
[FW]
|
+------+------+-------+---------+
| | | | |
[H1] [H2] [H3] [H4] [H5]
The trouble is that even if I set-up firewall rules to filter their traffic, they can still communicate behind the firewall directly through the switch they are all connected to, as only their internet traffic will go through the firewall.
I believe that this can be solved with a managed switch (at least I hope!), but for now I have to do with unmanaged switches.
So this is where the idea of the ffffffff mask came to mind. As it prevents the hosts to see one another. I knew that from experience.
What I didn't get is how such a host can have a working route and have access to the internet, as in theory with an ffffffff mask it should be completely isolated and have nothing on its subnet expect for itself, therefore there is no room (IP in the same subnet) for the router.
So this where I turned to the newsgroup for some brainstorming. :-)
I am also open for any other suggestion to solve the issue, this ffffffff netmask is just a thing I had on mind and planned to try if I can.
I was thinking about firewall solutions too, but the above mentioned bypass-issue came up as a theoretical problem rendering the idea useless in itself.
At the moment I have FreeBSD 6.2-PRERELEASE with pf and pf's built in NAT on the firewall/gateway. But I have discovered months ago that pf on FreeBSD is not yet able to do MAC (layer 2) filtering (pf on OpenBSD can do this according to the pf faq, but I have absolutely no experience with OpenBSD itself so I try to avoid its use for now).
So, here I am with my theoretical problems, trying to find a possible solution. Any comment or suggestion related to this topic is welcome!
In the meantime I dig myself into that rfc1123 which seems to hold quite many things I still don't know. :-)
Best regards,
Keve
--
if you need to reply directly:
keve(at)mail(dot)poliod(dot)hu
.
- Follow-Ups:
- Re: Using netmask ffffffff
- From: Torfinn Ingolfsen
- Re: Using netmask ffffffff
- From: Jason Bourne
- Re: Using netmask ffffffff
- References:
- Using netmask ffffffff
- From: Keve Nagy
- Using netmask ffffffff
- Prev by Date: Re: Using netmask ffffffff
- Next by Date: Re: Using netmask ffffffff
- Previous by thread: Re: Using netmask ffffffff
- Next by thread: Re: Using netmask ffffffff
- Index(es):
Relevant Pages
|
