>>>>> "Daniel" == Daniel Feenberg <[email protected]> writes:
Daniel> On Mon, 18 Jul 2016, John Stoffel wrote: >>>>>>> "Edward" == Edward Ned Harvey (bblisa4) <[email protected]> writes: >> >>>> From: bblisa [mailto:[email protected]] On Behalf Of Daniel >>>> Feenberg >>>> >>>> We'd like to isolate a few machines from the rest of our LAN without >>>> renumbering them into a subnet. >> Edward> I don't envy the IT person or newhire who inherits this Edward> environment someday. I'm sorry my comment isn't constructively Edward> adding to the direction you want to go - you're probably very Edward> smart and have thought this through, and considered all the Edward> pros and cons, and have good management (or you are yourself, Edward> management)... And I'm sorry that this email will probably Edward> spark a debate about whether you should or should-not, and all Edward> the reasons why, which will distract from the answer that you Edward> actually want. That being said, it is almost never a good Edward> management decision to do "tricks" and configure systems in Edward> weird, uncommon, nonstandard ways that will be surprising or Edward> confusing to new future people, or just a later version of Edward> yourself, who forgot you previously did something weird. If I Edward> were manager there, it would require a *very* compelling Edward> reason to convince me this should be done. >> >> Hear hear! If you have machines you don't trust, why can't you >> re-number them? Daniel> We have been asked to isolate a small subset of Daniel> machines. Renumbering everything else to isolate a few seemed Daniel> infelicitous. You mis-understand. Re-number the machines to isolate, put them into a private 192.168.x.y subnet. Then put in a dedicated firewall/NAT box listening on the original IPs, which filter the traffic. >> Or even put them behind a NAT/Firewall that exposes >> the original IPs for these hosts, but locks things down that way? Daniel> That is what we would like to do. As I understand it using an Daniel> ordinary bridge the original IPs to be exposed would have to Daniel> be in a subnet, which they are not. Nor do we have the IP Daniel> space available to make a new subnet for them. Hence the Daniel> interest in a transparent bridge. But if we can use NAT for Daniel> this purpose, we are interested. With a proper firewall, you can put them into a new subnet and do the routing/NATing on the firewall to lock them down. You can even setup the NAT so that the old IPs goto their original hosts. John _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
