[Tfug] Network partitioning
Zack Williams
zdwzdw at gmail.com
Mon Nov 4 21:55:41 MST 2013
On Mon, Nov 4, 2013 at 1:28 PM, Bexley Hall <bexley401 at yahoo.com> wrote:
>(too early in the morning to be thinking about this stuff)
*cough* is the DST switch getting to you? :D
> How do you get "internal" and "public" to talk to "shared"
> without allowing them to talk to each other? Ditto talking
> to "exposed"? And, prevent "exposed" from accessing "shared"?
The traditional way to do what you describe would be to dump "shared"
in a DMZ, forward only desired traffic to it from internal/public, and
allow only internet-directed traffic to external.
It sounds like you don't want this. Are you dealing with protocols
that do service discovery based on broadcast traffic? If so, you'd
could put them all in the same subnet, then auto-learn the MAC
addresses of everyone on each physical segment via either DHCP
reservations or ARP discovery, you could classify traffic on a per
segment basis. OpenBSD's pf could probably do this with some
scripting.
- Zack
More information about the tfug
mailing list