Network Bridge flooding our network with traffic and broadcasts


Our network is connected via bridge to another local government network and we have no control of the bridging routers.

The other network is now flooding our network with broadcasts and we can see their network and they can see ours.

I want to be able to stop this, the broadcasts, and only allow certain ports through.

Our network is 10.2.0.0 and the other network is 10.100.0.0 and 10.6.0.0.

Bearing in mind i have no control of the Bridge and the other network cannot make any changes, what is the best way to do inline filtering/firewall ?

I did consider a linux firewall with 2 network cards on a spare pc, but this is different from a normal configuration as both network cards would need to have 10.2.0.0 i.p. addresses.

Any thoughts ?

lhankAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fitcherCommented:
You will certainly have to insert something.   A firewall will require you to allow access to the other side and will require coordination from them to access resources on both sides.  I assume the bridge is because it needs to be unmanaged access between the 3 subnets?   A firewall will stop the broadcast traffic however you will have lots of connectivity issues to resolve one at a time and depending on what resources are being shared could end up with little gain.

If you dont share anything on their side or them to you then put in a firewall and never hear from them again.
0
holger12345Commented:
As you speak of bridging, i consider your network to have 255.0.0.0 subnet. Then there is no need to have 10.2.x.x ip to reach any of your IPs, as there is no routing-function.

It's a difficult situation, as you have to filter something, but you shouldn't do so - because then, how do you distinguish between good and bad broadcasts? All will send broadcast on 10.255.255.255 and you have to let this go through, if you want to connect to the other side.

In my opinion, you should subnet your network to a 255.255.255.0 subnet on both sides with a router inbetween

regards
Holger
0
lhankAuthor Commented:
Thanks for the replies..

The networks were originally accessing each others servers, but this is no longer the case.

The remote network no longer accesses anything on our network and we only use TCP port 3389 Terminal Services and TCP port 22 Telnet to access servers on theirs.

So inserting a firewall should not cause any issues, except blocking their traffic and only allowing the ports above through from ours.

I can't subnet our network as we inherited in and it is currently just a flat 10.2.0.0 setup. We have over 600 pc's & servers, and is not going to be possible in the forseeable future.

What i'm also asking is can i use a linux firewall with 2 network cards or would i need something more specialised ? if so, what ?

Regards
LHank.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

fitcherCommented:
If you already know how to configure a linux firewall then it should work,  for my Tax money :) I would put in a PIX of some kind, they are at least  easy to configure.   I would think any professional level firewall would work.
A router will not work since there is no port control.
Linux has many free software bundles however in my searches to do this I did not find any free firewall packages. ( not an exhaustive search)  and I spent a lot of time working to configure ipchains
I can be a fun project, but I would make sure you had lots of time to do it.  
0
holger12345Commented:
I think there will be trouble setting up a firewall ... you can't route (and therefore distinguish) between two networks, when they have the same network number (here 10.0.0.0/8).

Imagine the following constellation:

[your net PC1] --------------------- [linux firewall] ------------------------ [their net PC2]
      |                                           |         |                                             |  
IP:
 10.2.0.1                           10.2.0.100     10.100.0.100                      10.100.0.1
Netmask:
 255.0.0.0                         255.0.0.0       255.0.0.0                           255.0.0.0
Network:
 10.0.0.0                           10.0.0.0         10.0.0.0                            10.0.0.0

If you now want to reach PC2 from PC1, you have to say to the network1:
"I'm searching 10.100.0.1: go out and seek the network 10.0.0.0, because that is the network of the searched IP"
The linux firewall will answer:
"Well, you have 10.0.0.0 on your own side - i don't route your packet anywhere (only if you insert a HOST-route for this special HOST 10.100.0.1)"

c u l8r... i have to eat :-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
holger12345Commented:
follow up:
The linux firewall will see no difference between both sides - both are 10.0.0.0/8 so both NICs of th FW will beleive, that the network 10.0.0.0 is on its side (and that is true!).

Does anybody know from his config, that i'm false?
0
lhankAuthor Commented:
Thanks again for the replies.  I was hoping someone had heard of an inline firewall with port control preferably with using Linux (cheapest option as cant spend any money unless we really had to).

It looks like the best way to resolve this, is to setup a linux firewall and do some testing..  As you said Fitcher in can be a fun project.....

I'll wait a day or so for any more replies and then close the call.

Thanks for your advice Holger and Fitcher.
0
fitcherCommented:
A pix will do port  translations, and will route a little if you think it through.  The point is that a router routes.   It decides what path a packet should be sent down(from more than one choice) and a firewall blocks traffic bassed on rules.  Generally you cant use one for the other.  No matter what you do you will have to design your routing table.  your post said you were trying to stop broadcast traffic.  A router will not do that.  so You have decided to use linux.  you will need some sort of firewall software because while you can easily devise a router you still will not block the broadcast traffic.  When I got started with a similar project I started looking for ipchains but never got that far before moving to a different task.

Good luck,  you are about to know subnetmasking cold.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.