[Firehol-support] Routing between virtual interfaces

Carlos Rodrigues cefrodrigues at gmail.com
Sat Jan 24 20:58:52 GMT 2009


On Sat, Jan 24, 2009 at 5:41 PM, M. O. <mofog at hotmail.com> wrote:
>> If you cannot go the VLAN way, the only way to deal with this is just
>> do your configuration using just "eth0". You can have a route where
>> the in and out interfaces are the same, and you can control the flow
>> of traffic between subnets using "src" and "dst" with the "route"
>> commands.
>
> Would this really work? If all computer are situated in the very same subnet
> and they are connected by just one switch, how does the server have an
> influence on the flow of data? If there's a package coming from A directed
> to B, the switch will just put the package on the particular port B is
> connected to and the server (being conntected to the same switch on another
> port) won't even notice. Or am I mistaken?

For the switch, A and B are the source and destination mac addresses
contained in ethernet frames, which may or may not be the mac
addresses of the hosts you are calling "A" and "B".

Let me give you two examples:

1. Hosts A and B are on the same subnet. Host A sees that B's ip
address is on the same subnet, so it sends an ARP request to find B's
mac address. It then sends ethernet frames with B's mac address as
destination, containing ip packets with B's ip address as destination.
The switch sends these frames/packets to host B.

2. Hosts A and B are on different subnets. Host A sees that B's ip
address is on a different subnet, so it goes to the routing tables and
finds its default gateway (server C). Then it sends and ARP request to
find C's mac address. It then sends ethernet frames with C's mac
address as destination, containing ip packets with B's ip address as
destination. The server C receives these frames and basically does the
same as example 1.

So, when two hosts are on different subnets, it doesn't matter if the
physical link is the same or not, traffic will flow through C, so it
can be controlled there.

But, like I said before, without VLANs this separation is easily
broken by a malicous host, which only needs to change its ip address
to circumvent any controls imposed by the server.  But in your case
this risk may not be of concern, only you can tell.

-- 
Carlos Rodrigues




More information about the Firehol-support mailing list