Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 435
  • Last Modified:

Network Bridge flooding our network with traffic and broadcasts


Our network is connected via bridge to another local government network and we have no control of the bridging routers.

The other network is now flooding our network with broadcasts and we can see their network and they can see ours.

I want to be able to stop this, the broadcasts, and only allow certain ports through.

Our network is 10.2.0.0 and the other network is 10.100.0.0 and 10.6.0.0.

Bearing in mind i have no control of the Bridge and the other network cannot make any changes, what is the best way to do inline filtering/firewall ?

I did consider a linux firewall with 2 network cards on a spare pc, but this is different from a normal configuration as both network cards would need to have 10.2.0.0 i.p. addresses.

Any thoughts ?

0
lhank
Asked:
lhank
  • 3
  • 3
  • 2
1 Solution
 
fitcherCommented:
You will certainly have to insert something.   A firewall will require you to allow access to the other side and will require coordination from them to access resources on both sides.  I assume the bridge is because it needs to be unmanaged access between the 3 subnets?   A firewall will stop the broadcast traffic however you will have lots of connectivity issues to resolve one at a time and depending on what resources are being shared could end up with little gain.

If you dont share anything on their side or them to you then put in a firewall and never hear from them again.
0
 
holger12345Commented:
As you speak of bridging, i consider your network to have 255.0.0.0 subnet. Then there is no need to have 10.2.x.x ip to reach any of your IPs, as there is no routing-function.

It's a difficult situation, as you have to filter something, but you shouldn't do so - because then, how do you distinguish between good and bad broadcasts? All will send broadcast on 10.255.255.255 and you have to let this go through, if you want to connect to the other side.

In my opinion, you should subnet your network to a 255.255.255.0 subnet on both sides with a router inbetween

regards
Holger
0
 
lhankAuthor Commented:
Thanks for the replies..

The networks were originally accessing each others servers, but this is no longer the case.

The remote network no longer accesses anything on our network and we only use TCP port 3389 Terminal Services and TCP port 22 Telnet to access servers on theirs.

So inserting a firewall should not cause any issues, except blocking their traffic and only allowing the ports above through from ours.

I can't subnet our network as we inherited in and it is currently just a flat 10.2.0.0 setup. We have over 600 pc's & servers, and is not going to be possible in the forseeable future.

What i'm also asking is can i use a linux firewall with 2 network cards or would i need something more specialised ? if so, what ?

Regards
LHank.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
fitcherCommented:
If you already know how to configure a linux firewall then it should work,  for my Tax money :) I would put in a PIX of some kind, they are at least  easy to configure.   I would think any professional level firewall would work.
A router will not work since there is no port control.
Linux has many free software bundles however in my searches to do this I did not find any free firewall packages. ( not an exhaustive search)  and I spent a lot of time working to configure ipchains
I can be a fun project, but I would make sure you had lots of time to do it.  
0
 
holger12345Commented:
I think there will be trouble setting up a firewall ... you can't route (and therefore distinguish) between two networks, when they have the same network number (here 10.0.0.0/8).

Imagine the following constellation:

[your net PC1] --------------------- [linux firewall] ------------------------ [their net PC2]
      |                                           |         |                                             |  
IP:
 10.2.0.1                           10.2.0.100     10.100.0.100                      10.100.0.1
Netmask:
 255.0.0.0                         255.0.0.0       255.0.0.0                           255.0.0.0
Network:
 10.0.0.0                           10.0.0.0         10.0.0.0                            10.0.0.0

If you now want to reach PC2 from PC1, you have to say to the network1:
"I'm searching 10.100.0.1: go out and seek the network 10.0.0.0, because that is the network of the searched IP"
The linux firewall will answer:
"Well, you have 10.0.0.0 on your own side - i don't route your packet anywhere (only if you insert a HOST-route for this special HOST 10.100.0.1)"

c u l8r... i have to eat :-)
0
 
holger12345Commented:
follow up:
The linux firewall will see no difference between both sides - both are 10.0.0.0/8 so both NICs of th FW will beleive, that the network 10.0.0.0 is on its side (and that is true!).

Does anybody know from his config, that i'm false?
0
 
lhankAuthor Commented:
Thanks again for the replies.  I was hoping someone had heard of an inline firewall with port control preferably with using Linux (cheapest option as cant spend any money unless we really had to).

It looks like the best way to resolve this, is to setup a linux firewall and do some testing..  As you said Fitcher in can be a fun project.....

I'll wait a day or so for any more replies and then close the call.

Thanks for your advice Holger and Fitcher.
0
 
fitcherCommented:
A pix will do port  translations, and will route a little if you think it through.  The point is that a router routes.   It decides what path a packet should be sent down(from more than one choice) and a firewall blocks traffic bassed on rules.  Generally you cant use one for the other.  No matter what you do you will have to design your routing table.  your post said you were trying to stop broadcast traffic.  A router will not do that.  so You have decided to use linux.  you will need some sort of firewall software because while you can easily devise a router you still will not block the broadcast traffic.  When I got started with a similar project I started looking for ipchains but never got that far before moving to a different task.

Good luck,  you are about to know subnetmasking cold.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now