![]() What I would suggest is if your current router does not support either dd-wrt or lan to lan rules is since you would need to buy another router to use the double nat method anyway - is purchase one that allows for lan to lan filtering, or one that supports 3rd party firmware that will allow you to do it. Any of the router distro's should be able to do something as basic as this. which would give you a gui in building your rules.Īnother option would be to run a linux distro as your router, ipcop I know allows for multiple segments and then rules between them. Or I do believe you can run firewall builder on it. I do not believe the current web ui to dd-wrt supports lan to lan firewall rules? But can be done from the command line after a bit of reading for sure. So you can accomplish what you want fairly simple with home priced network equipment to be sure. What router do you have now?įollow up: Router that supports lan to lan firewall rules, yes I know this model is EOL, but its an example of what I was talking about with lan to lan rules on a home priced router.Īlso if your router will run dd-wrt or openwrt you can setup vlans and use iptables to deny specific traffic between the vlans, etc. Would have to look around for one that does - but they are out there for sure. There are few out there - but not recalling any model numbers off the top of my head. Your best bet is to get a router that supports lan to lan firewall rules. One way as mentioned to put a line of protection between that machine and your other machines is to put the other machines behind another nat router.īut I would REALLY NOT suggest this - since the double nat comes with quite a few of its own headaches. Treating a machine(s) as hostile on the same local network is what software firewalls are good for! If you run software firewalls on your machines - just use them to block access from that one machine. Quite often this is port 9100, it would depend exactly how your sharing your printer - be it connected to a machine or on a stand alone printer server device, or if the printer has its own network card, etc. You would then need to do a port forward to allow printer access. Then your going to need to run software filewalls on the machines or put them behind a nat compared to the other machine. If you router does not allow you to setup vlans and put access control lists between them. But that would not protect you from an exploit using the file sharing ports, etc. But if using SFS, thats not possible - would need to have pro with the ability to give different accounts different access to files/shares, etc. So blocking the account the other machine logs in with from having file share access would provide some minor protection. Not having a valid account to auth with will not always protect you from a virus/exploit - but it will protect you from that machines virus from infecting every file it has permission too, depending on what account its logged in as, etc. A domain just makes it easier to give permissions since there is a central userbase.Īnd this clearly does not isolate the machine from possible viruses or exploits to the ports they are listening on, ie the file sharing ports, etc. What workgroup your in has NOTHING to do with file sharing, and to be honest either does the domain really - as long as you auth to the machine with a valid account you can access resources. That will stop it sharing files And where did you get that tidbit of misinformation from? ![]() You don't want your internet to go down when you are fucking with your main LAN server.Take it out of the same domain/workgroup. Rock solid.Īnyway, at least separate the firewall/router from your NAS/etc box. It runs VPN (road warrior and site to site) and 3 home VLANs and even provides a netflow service that I watch over with nfsen. My home firewall/router/VPN box is a dual-core 1.5ghz Atom with 4gigs of RAM and a really nice quad-port Intel ethernet card. Plus you can use npppd to setup a drop dead simple home VPN that works with the native clients in most OSes. And OpenBSD's pf is infinitely better than iptables in every way imaginable. Firewall/routers, unless you are doing heavy VPN stuff, do not need a lot of power. Put a cheap 30gig SSD in it and whatever cheap memory. Get a riser card and dual (or quad) ethernet if the 2 built-on aren't enough. I'd buy a cheap-ish* small form factor machine and run OpenBSD on it. I have been using it for well over 20 years and hated every single minute of it. Or firewalld or whatever networking nonsense Linux has most recently cooked up. Honestly, iptables is too big of a pain in the ass.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |