Ahh - that's going to be a bit difficult. You see, the only time traffic goes THROUGH the router is when it is between different subnets. Let's look at what happens on a host when it wants to transmit a packet to another host.
The sending host obtains (via DNS or some other mechanism) the IP address of the destination host, and it's subnet (the sender's) mask. It then compares it's address and the recipient's address and sees if they are the same upto the mask's number of bits. If they are, the two hosts are on the same subnet, and the sending host get's the link address of the recipient host (by looking in it's ARP table or ARPing for it, if we are on an Ethernet). It then sends the packet DIRECTLY to that host, and the router(s) on the network never see it. The only time when the router would see the packet (and be able to act on it, like block telnet, etc) is if the sending host and receiving host were on different subnets (the address comparison I mentioned earlier didn't match for all the subnet mask bits). Then the sending host looks up it's router (via it's routing table) that knows how to get to the desired subnet, and sends the packet to the router. For example, assume the following settings: sender IP address: 10.10.10.2 sender subnet mask: 26 bits recipient 1 IP address: 10.10.10.4 recipient 2 IP address: 10.10.10.129 Since the sender's subnet encompasses all hosts from 10.10.10.0 through 10.10.10.63, then packets between the sender and recipient 1 would go directly between those two hosts and ignore the router. Since the sender's subnet does NOT encompass recipient 2, then the packets from sender to recipient 2 would traverse the router, and then the router could do something like "block telnet." There are ways around this (such as proxy arp, L3 aware filtering on the L2 switch, etc). However, the easiest approach is just to turn off the telnet daemon on the boxes that you don't want telnetable. Chris - --On 29 January 2008 12.00.01 -0800, Someone claiming to be [EMAIL PROTECTED] opined: > Hi > > I want to configure my firewall so that it blocks the internal systems > from telnet'ing each other. > > My config is > > eth0 >>192.168.10.45 (acting as WAN) > eth1 >> 192.168.1.1 (Internal Lan) -- Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB67593B _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
