The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 17, 2019, 06:05:15 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: routing / subnet question  (Read 2044 times)
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« on: May 19, 2009, 11:08:58 AM »

Alright, it's true. I'm a subnet wuss.

What I want to do is to lock down an IPCop VPN to a single address - in other words, I'd like to provide a VPN that has access to one single box behind my firewall.

So my assumption is that my subnet mask would be 255.255.255.255 - is this correct? I realize, that if the logees-in on that box managed to get shell access then they can crawl the rest of my net, but I am not terribly concerned about that because of what the device is (a specialized, custom 3D ultrasound device) and who the logees would be.

As a matter of fact, if anyone would like to take the time to school my subnet-n00bness to any greater degree, I'd really appreciate it.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
isthisthingon
Global Moderator
Lifer
*****
Offline Offline

Posts: 2879



View Profile
« Reply #1 on: May 19, 2009, 11:47:31 AM »

Wish I could help here.  I'm signing up for the same class myself  Smiley

Looking forward to any replies on this...
Logged

I would love to change the world, but they won't give me the source code.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #2 on: May 19, 2009, 04:23:21 PM »

yes 255.255.255.255 is 1 ip

however, why bother?
subnets are just meant to segregate networks, but they can still generally browse each other if they reside on the same switch. A router of course can generally set routing tables, and you can set segregation rules to prevent subnets from ever communicating.

however, if you have a concern, you can put the device behind a NAT (ghetto configurable switch method)

ping for chat if you want.



Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #3 on: May 20, 2009, 10:06:40 AM »

Subnets won't talk to each other by default if they're using two different NAT tables.

Not sure what you're asking. Sounds like you have at least a tenuous grasp of how subnets work, though I prefer the shorthand notation, which in your case would be (don't know what your base IP is but I'm guessing)

10.15.10.1/32

Do you want to have a different subnet mask for that one machine as opposed to the others? Don't confuse subnets with subnet masks either. Even if your subnet mask is a subset of another subnet mask, as long as the more restrictive mask is included in the less restrictive subnet IP range, the wider subnet will consider the smaller subnet part of itself while the smaller subnet will refuse to recognize IPs from the larger subnet as valid, which could cause some very odd behavior.

Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #4 on: May 20, 2009, 10:21:35 AM »

Just got off the horn with NBs and I'm all clear now. Thanks for the post VS - it was a segregation issue, combined with my lack of understanding what subnets really do.

To recap, for readers that are equally naive: subnets are simply a "quieting filter" for the router in control of your local network. As an example, if you have a subnet of 255.255.255.0 then any machine with an address with the same 3 octets as you can be conversed with without the involvement of the gateway router. It does not mean that they are segregated at all.

So, if you had two machines on your net - 1 addressed as 216.20.43.111 and another at 10.17.242.11 - and they both had a subnet of 0.0.0.0 and the gateway router saw a subnet mask of 0.0.0.0 on the same side of the net that those two machines lived on, then no traffic would be routed out of the router and the two machines could talk to each other perfectly.

Conversely, if you put a subnet mask of 255.255.255.255 on a machine, then every single network request, even for a machine that was right next to it, on the same network just one digit away, would need to be spoken with via the router.

So the answer to my question was that if I really wanted to segregate that machine, I'd need all machines to be on a different subnet than (the machine I'm trying to segregate) and then add routing tables that passed any requests from the target machine to local machines next to it into space (non-routable addresses pushed into the public space works well) - effectively making it unable to talk to anything other than the router.

Rather complicated and not the best solution.

Personally, I love the notion of what goes around comes around, so it was with a smile on my face that Nutballs reminded me of the ability for IPCop to have several networks, and one of the best solutions here was to put the target machine in a physically-DMZd network hanging off the IPCop router. That would isolate it utterly, yet allow it access to the net.

Thanks Nuts for the assistance! Hope this made sense to anyone else reading.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #5 on: May 20, 2009, 10:33:40 AM »

and to recap my 2c

Right V, except your assuming a router. under a switch or hub subnets talk because there is no discrimination and all negotiation is broadcast spammed (at least initially).

Also, subnets do talk, with a simple example.
The interwebs. If subnets didnt talk, you could never talk to the internets, which are on a different subnet from your desktop (most likely).

I actually chatted with perk and i think he has a few ideas of how to deal with his specific issue.

Its one of those subjects that you never really bother with until you find you need it, and it is made overly complicated by those network admins out there trying to keep it voodoo.

The short version is that a subnet/mask is a way to reduce traffic past an edge router. It allows you to build smaller networks, that can be managed from a higher level, instead of at the granular, single machine level, which you could do if you set every machine to 255.255.255.255
But you also might like punching yourself in the nuts if you do that.

It allows the routing to trickle down from a gross level to a single machine, without nearly the overhead a non-subnet system would, like setting your router subnet to 0.0.0.0 which would make every single request figure out if it needs to be routed out or in.
The core routers dont even set 0.0.0.0
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #6 on: May 20, 2009, 11:39:47 AM »

Well yes they talk, but re-read my example.

It would create problems and definitely add overhead to your requests.

That's all I was trying to communicate, though I don't think I understood exactly what perks was asking for.
Logged

hai
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #7 on: May 20, 2009, 12:33:26 PM »

yep i get it V. You and I are saying the same thing.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!