On 2017-03-19 11:19, Bjoern Voigt wrote:
Carlos E. R. wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes.
As far as firewall is concerned, my policy is to close all, and open only those needed ports, if possible only from the IPs that need access. Yes, but this is not what I wanted to hear. ;-)
I do not search a perfect separation for my SOHO network. I search an easy solution which provides better security than the current solution, where SuSEfirewall has only one set of rules for trusted, untrusted and Internet hosts.
So for instance an Android app which has hidden spyware capabilities should not query a list of my DLNA shared videos and send it to its master. (DLNA shared have usually no password/PIN.) This spyware is probably not powerful enough to fake the MAC address of the smartphone or to hack the router.
Then you need one vlan with the wifi AP that the phone uses, with no access to another vlan that has the machines with your videos. But this also means you can not send files via wifi to your android, or watch videos on the tablet. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))