[BBLISA] Limoncelli Article "Firewall is a Bridge"

John Stoffel john at stoffel.org
Mon Jul 18 11:44:13 EDT 2016 

>>>>> "Daniel" == Daniel Feenberg <feenberg at nber.org> writes:

Daniel> On Mon, 18 Jul 2016, John Stoffel wrote:

>>>>>>> "Edward" == Edward Ned Harvey (bblisa4) <bblisa4 at nedharvey.com> writes:
>> 
>>>> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Daniel
>>>> Feenberg
>>>> 
>>>> We'd like to isolate a few machines from the rest of our LAN without
>>>> renumbering them into a subnet.
>> 
Edward> I don't envy the IT person or newhire who inherits this
Edward> environment someday. I'm sorry my comment isn't constructively
Edward> adding to the direction you want to go - you're probably very
Edward> smart and have thought this through, and considered all the
Edward> pros and cons, and have good management (or you are yourself,
Edward> management)... And I'm sorry that this email will probably
Edward> spark a debate about whether you should or should-not, and all
Edward> the reasons why, which will distract from the answer that you
Edward> actually want. That being said, it is almost never a good
Edward> management decision to do "tricks" and configure systems in
Edward> weird, uncommon, nonstandard ways that will be surprising or
Edward> confusing to new future people, or just a later version of
Edward> yourself, who forgot you previously did something weird. If I
Edward> were manager there, it would require a *very* compelling
Edward> reason to convince me this should be done.
>> 
>> Hear hear!  If you have machines you don't trust, why can't you
>> re-number them?

Daniel> We have been asked to isolate a small subset of
Daniel> machines. Renumbering everything else to isolate a few seemed
Daniel> infelicitous.

You mis-understand.  Re-number the machines to isolate, put them into
a private 192.168.x.y subnet.  Then put in a dedicated firewall/NAT
box listening on the original IPs, which filter the traffic.

>> Or even put them behind a NAT/Firewall that exposes
>> the original IPs for these hosts, but locks things down that way?

Daniel> That is what we would like to do. As I understand it using an
Daniel> ordinary bridge the original IPs to be exposed would have to
Daniel> be in a subnet, which they are not. Nor do we have the IP
Daniel> space available to make a new subnet for them. Hence the
Daniel> interest in a transparent bridge. But if we can use NAT for
Daniel> this purpose, we are interested.

With a proper firewall, you can put them into a new subnet and do the
routing/NATing on the firewall to lock them down.

You can even setup the NAT so that the old IPs goto their original
hosts.

John

More information about the bblisa mailing list