Hi,

I have a odd problem, and I want to know if I can solve this with firewalls. (I've done it before using vlans, but I only have a dumb switch right now) I have a series of distributed programs that normally communicate by broadcasting UDP packets. Normally the software talks across multiple hosts, but I want to run it on different machines, allowing the local hosts to see the traffic without broadcasting between different machines.

For example, lets assume I have two computers, c1 and c2 as well as two programs appA and appB. Normally I would run appA on c1 and appB on c2. Both applications broadcast traffic, and both computers receive that traffic.

What I want is to run appA and appB on c1, as well as appA and appB on c2. I want c1 to only see the broadcast traffic from it's programs, and c2 should only see the broadcast traffic from it's programs.

I figure I can just tell c1 to ignore all broadcast traffic from c2 and c2 to ignore all broadcast traffic from c1, but this is just a little harder than that.

If it's possible, I'd like to set things up such that a host's broadcast traffic is seen internally, but doesn't make it as far as the switch. The switch I'm using is pretty cheap and I'm concerned I'm going to flood it with too many packets. So, is it possible to allow a program to bind to a broadcast address, have the packets stay on the local host and never actually send them to the switch?

I'm eager to hear any ideas

-Max

PS, I cannot force the programs to bind to the loopback interface. They always bind to eth0's broadcast address.

It seems to me that your problem is in the design of these applications. The way that grown ups would design these applications would be to use specific ports.

Whilst the ideal solution probably would involve a more fundamental rearchitecting, stating that as the only "grown up" solution isn't helping, and seems somewhat rude to me...

I am just curious to know if you have tried with iptables in the OUTPUT chain ?