[KLUG Members] Multiple networks on a single switch?

[Adam Tauno Williams]

>Rather than mess around with the distro I am using, I am looking at some of
>the newer LEAP distro's, some of which come with Shorewall. I was reading
>the Shorewall doc's for a three interface configuration (PPP, DMZ, LOC). The
>Shorewall docs said "Do not connect more than one interface to the same hub
>or switch (even for testing). It won't work the way you expect it to and you
>will end up confused and believing that Shorewall doesn't work at all."

Thats just silly.  If I plug two interfaces from one host into the same
switch/hub it will work exactly as I expect it will.

>Now, I can understand why putting two interfaces on a hub would cause many
>problems (hubs basically repeat anything coming in on one port out to all
>the rest of the ports). But I don't understand why I couldn't use a single
>48 port switch to connected to two interfaces on different networks (DMZ and
>LOC). I would think that the switch routing table should be smart enough to
>know which ports belong to which network and only push network broadcasts
>out to the appropriate ports.

Because there isn't any mechanism stopping the sending of packets you don't
intend across the switch.  It just isn't secure.

>Am I attributing too much intelligence to the switch?

Not if your switch supports vland.

>I don't see how the problem could be with Shorewall since the router decides
>which packets go to which ports.

It isn't a "problem", it is just easily overcome via packet forging.

>Before I get myself in a real mess, could someone please enlighten me as to
>why I couldn't or shouldn't use a single switch connected to two interfaces
>on a Shorewall three interface firewall?

You could but you wouldn't really be creating a DMZ.