From owner-freebsd-questions@FreeBSD.ORG Thu Dec 4 14:04:31 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C7C116A4CE for ; Thu, 4 Dec 2003 14:04:31 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9DA743FB1 for ; Thu, 4 Dec 2003 14:04:27 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1AS1aD-0006PU-EP for freebsd-questions@freebsd.org; Thu, 04 Dec 2003 22:04:25 +0000 Date: Thu, 4 Dec 2003 22:04:25 +0000 From: Jez Hancock To: FreeBSD Questions List Message-ID: <20031204220425.GB18124@users.munk.nu> Mail-Followup-To: FreeBSD Questions List Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Blocking DOS using arp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 22:04:31 -0000 Hi, Currently seeing an abnormal amount of http traffic consisting of only tcp syn packets according to snort. My main question is how can I block inbound traffic from a given host using arp? Related question: I've added block rules for the offending hosts in my ipf rule list, but snort still sees traffic from these hosts after restarting ipf to include the new block rules - why is this? TIA -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/