Date: Mon, 13 Mar 2006 14:45:21 +0800 From: hshh <hunreal@gmail.com> To: "Chuck Swiger" <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Is it possible to use IPFW2 to defend ARP Spoof attack? Message-ID: <9b6b59500603122245g490e62ddg26a1e9d182b8dc03@mail.gmail.com> In-Reply-To: <441431CF.2050605@mac.com> References: <9b6b59500603120203i3e0733fm3334bce6c42a7682@mail.gmail.com> <441431CF.2050605@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I got it, thanks for reply. And it must set net.link.ether.ipfw=1 to perform layer2 filter. On 3/12/06, Chuck Swiger <cswiger@mac.com> wrote: > > hshh wrote: > > Is it possible to use IPFW2 to defend ARP Spoof attack? > > Yes, IPFW can filter ARP traffic which passes by it in either a layer-3 > routing/firewall configuration, or even in a layer-2 bridging config. > > However, most people have lots of machines plugging into 24-port switches > rather > than into dedicated firewall ports on a machine running FreeBSD+IPFW. In > practice, unless you are prepared to lockdown the switch ports to specific > MAC > addresses and monitor any trunk ports carefully, ARP spoofing attacks can > still > occur from local machines [1]. > > -- > -Chuck > > [1]: "local" as opposed to say the interface on your side of your ISP's > router > being compromised and ARP'ing internal IPs to it's own interface to > misdirect > internal traffic. An IPFW firewall between your internal machines and the > ISP > would be effective in that case. But the anti-spoofing rulesets that are > recommended would already guard against such things at the IP level. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9b6b59500603122245g490e62ddg26a1e9d182b8dc03>