Is it possible to use IPFW2 to defend ARP Spoof attack?
Chuck Swiger
cswiger at mac.com
Sun Mar 12 14:36:01 UTC 2006
hshh wrote:
> Is it possible to use IPFW2 to defend ARP Spoof attack?
Yes, IPFW can filter ARP traffic which passes by it in either a layer-3
routing/firewall configuration, or even in a layer-2 bridging config.
However, most people have lots of machines plugging into 24-port switches rather
than into dedicated firewall ports on a machine running FreeBSD+IPFW. In
practice, unless you are prepared to lockdown the switch ports to specific MAC
addresses and monitor any trunk ports carefully, ARP spoofing attacks can still
occur from local machines [1].
--
-Chuck
[1]: "local" as opposed to say the interface on your side of your ISP's router
being compromised and ARP'ing internal IPs to it's own interface to misdirect
internal traffic. An IPFW firewall between your internal machines and the ISP
would be effective in that case. But the anti-spoofing rulesets that are
recommended would already guard against such things at the IP level.
More information about the freebsd-ipfw
mailing list