broadcasts on a home lan using an internal firewall; this is probably impossible
 

Next year I will be living in a house with 5 other students, each of whom has computing abilities ranging from non-existant to advanced. Since my flatmates to be seem to think I am some kind of guru, it has naturally fallen to me to set up a LAN and Internet access.

There will be two PCs on the LAN directly under my control; the main Linux server and my desktop. Other than that, there will be five other PCs belonging to my housemates, and up to 8 further machines when we hold LAN parties, which we will.

Since Internet access is provided through NAT, each machine except the server is effectively shielded from the Internet. This is great, because each machine on the LAN runs some version of Windows, and you can guarantee that no matter how much I nag, their owners will completely fail to keep up to date with critical OS updates, virus scans etc. The obvious problem here is that although the LAN is firewalled off from the Internet as a whole, individual machines are not firewalled off from each other.

There was an incident earlier this year when a friend of mine took his laptop to another friend's flat for some LAN gaming. As a result, his previously perfectly malware-free but unpatched laptop was exposed to a vast array of worms that the latter indivudal had somehow accrued on his machine. Needless to say, it was all very messy and after a time an OS reinstall was deemed necessary. Needless to say, I do NOT want to have to deal with this sort of thing whenever friends bring their computers to our house (which, since we are all of ten minutes walk from the university, is bound to happen all the time).

Bearing in mind that I'm not guaranteed to be available at any given time to reconfigure things or open ports when a new game is acquired, I figure the easiest way to provide what will probably prove to be adequate protection against this is to redirect all LAN traffic through the server, and have the server block anything on ports for things like SMB and RPC, which are often subject to vulnerabilities. For the simple sake of ease of use, everything else will be left open so my housemates can use whatever software they want to use over the network without problems.

One way this could be done, which is admittedly hackish, but I suspect would work is to put each client in a subnet including only itself and the server, with the server set as the default gateway and redirecting traffic within the LAN and onto the Internet as appropriate. For example, the server could use every odd IP address between 192.168.0.1 and 192.168.0.253 inclusive, and clients could be assigned even IP addresses between 192.168.0.2 and 192.168.0.254 inclusive, each with a subnet mask of 255.255.255.254.

Having explained all of that, on to the questions/problems:
1) Since all the machines are plugged into one of two switches, and the switches are linked to each other, I imagine broadcasts would still travel to every machine on the LAN unmolested by the server. True?
2) If the above is true, since all the machines can still communicate directly using broadcasts, it seems to me that the above arrangement is completely pointless and that each machine will be vulnerable regardless. If so, is there any way I can achieve what I want?
3) Furthermore, is there any way I can achieve what I want, and still have broadcasts work as expected, possibly using something akin to broadcast forwarding? The reason I ask this is a) because some braindead games rely on broadcast for netplay, b) because as I understand it, Linux cannot and never will be able to do broadcast forwarding on the basis that it is 'useless' and 'dangerous', which is funny, because I've found at least one use for it in the past, possibly now two, and the only danger occurs if everyone on the Internet turns it on.

TIA.

Don't put an untrusted device on your network. Period. Unless you're willing to put up with whatever bad happens. Risk/Reward

No 'untrusted' machine will ever be attached to the network, that is to say I trust their owners. I realise that my proposed system would be very easy to get around if someone sitting physically at a machine were just to change the settings.

The idea is not to prevent a determined person who has somehow broken into our house from compromising the network, but to provide a little added protection to make it harder for worms to spread. I know for a fact that no matter what I say, inevitably at some point a visitor will be invited to plug their machine into the network and I merely want to use some preventative measures to ensure that worms are not spread *accidentally*. I have no intention of trying to prevent intentional attacks because I realise that is impossible. The way I figure it, assuming all machines keep to the above settings (which they will), broadcasts will make it to all devices but any packets sent in reply will go through the firewall. True? If so, this is good enough for the purpose.

Answers to the questions would have been a lot more useful than stating the blindingly obvious.