On Sun, 28 Jun 2020 10:45:51 -0600
Grant Taylor  wrote:

> On 6/28/20 7:45 AM, Ahem A Rivet's Shot wrote:
> > The only other real option is VLANs and a smart switch - USB ethernet
> > is simpler.
>
> It's possible to do this on a single Ethernet connection.  It just takes
> more knowledge and a little more work.

 It also entails more risk.

> It's entirely possible to rely on /protocol/ isolation to do what the OP
> wants on a /sing.e/ common network.

 Yes it is - but it is even more fragile from a security perspective
than VLANs.

> Hosts A and B can communicate with each other over IPv4 and hosts B and
> C can communicate with each other over IPv6.  If host A has zero IPv6
> support and host C has IPv4 completely disabled, there is no way for
> hosts A and C to talk directly to each other.

 Apart from promiscuous mode and/or packet injection.

> It's even possible to do this with IPv4.  Configure completely different
> subnets.  Configure firewalling so that hosts A and C block any and all
> traffic from each other.  Or better, configure hosts A and C so that
> they only allow traffic from B.

 One glitch in the firewall rules and it all falls open.

> > That depends - if both networks have DHCP servers then just configure
> > the new interface to use DHCP (probably default), plug it in and
> > watch it connect.
>
> Your suggestions are correct for many environments.  However I suspect
> that the OP's environment is decidedly different.  If the OP has three
> devices, hosts A, B, and C cabled together (in a daisy chain), chances
> are quite good that there won't be a DHCP server.

 The OP explicitly mentions two subnets - so that doesn't fit.

> > You would have to do extra work to get packets passed between them.
>
> Linux (and most other OSs) simply need a setting changed.  It's not as
> if the OP needs to do something to allow each and every connection.

 That is indeed the extra work - my point is that it won't just
happen.

> I sort of suspect that the OP might prefer an (S)FTP(S) server over
> Samba.  Both Samba and NFS (NAS protocols) can easily have their files
> modified (presuming the user has permission) with non-network-aware
> scripts / programs.  Conversely, (S)FTP(S) is typically not a mounted
> file system.  As such, there is an access barrier that makes things a
> little safer than NAS protocols.

 That is of course an option and there are many more.

> The Linux kernel doesn't forward packets by default.  But some Linux
> distributions do enable forwarding by default.

 Ouch nasty I've not seen that except on builds meant for routers,
and not on anything common on a Pi.

> He would also need to add routes to A & C so that they would know to get
> to each other via B.

 For everyone but the hackers yes.

--
Steve O'Hara-Smith                          |   Directable Mirror Arrays
C:\>WIN                                     | A better way to focus the sun
The computer obeys and wins.                |    licences available see
You lose and Bill collects.                 |    http://www.sohara.org/

--- SoupGate-Win32 v1.05