I know this sounds stupid, and that the answer is "make another vlan", but hear me out:
A client wants a machine in the DMZ to be accessible from the internet (web server), but not able to talk to other devices in the DMZ for what are basically political reasons.
A new DMZ vlan means changes to the firewall, routing, and a few switches right before we're supposed to "lock down" configs for the season due to the nature of our work. It's a medium-sized project at a moment where there's no time to do it (and who wants a new vlan for a single machine?)
An obvious answer is the machine's local firewall, but the client wants some network segmentation too.
Next I thought of Port ACLs, which I haven't used much before so excuse me if what follows is idiotic. I made one that was basically:
permit [gateway MAC] any deny any any
With the reasoning that any L3 traffic would have to be sourced from the gateway (maybe I'm wrong about this).
The PACL did its job except it killed their outgoing internet too. Perhaps because broadcasts aren't getting through?
A last way I thought of was to put a small firewall between the hosts and the rest of the network. That also feels sloppy, though, but the client likes this idea for some reason.
Anyway I'm sure there's a better way to do this but I'm blanking. Any help would be appreciated, since I've never been asked to do something like this before.
No comments:
Post a Comment