Date: Sun, 12 Mar 2006 09:35:59 -0500 From: Chuck Swiger <cswiger@mac.com> To: hshh <hunreal@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Is it possible to use IPFW2 to defend ARP Spoof attack? Message-ID: <441431CF.2050605@mac.com> In-Reply-To: <9b6b59500603120203i3e0733fm3334bce6c42a7682@mail.gmail.com> References: <9b6b59500603120203i3e0733fm3334bce6c42a7682@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hshh wrote: > Is it possible to use IPFW2 to defend ARP Spoof attack? Yes, IPFW can filter ARP traffic which passes by it in either a layer-3 routing/firewall configuration, or even in a layer-2 bridging config. However, most people have lots of machines plugging into 24-port switches rather than into dedicated firewall ports on a machine running FreeBSD+IPFW. In practice, unless you are prepared to lockdown the switch ports to specific MAC addresses and monitor any trunk ports carefully, ARP spoofing attacks can still occur from local machines [1]. -- -Chuck [1]: "local" as opposed to say the interface on your side of your ISP's router being compromised and ARP'ing internal IPs to it's own interface to misdirect internal traffic. An IPFW firewall between your internal machines and the ISP would be effective in that case. But the anti-spoofing rulesets that are recommended would already guard against such things at the IP level.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?441431CF.2050605>