Is it possible to use IPFW2 to defend ARP Spoof attack?
hshh
hunreal at gmail.com
Mon Mar 13 06:45:22 UTC 2006
I got it, thanks for reply.
And it must set net.link.ether.ipfw=1 to perform layer2 filter.
On 3/12/06, Chuck Swiger <cswiger at mac.com> wrote:
>
> hshh wrote:
> > Is it possible to use IPFW2 to defend ARP Spoof attack?
>
> Yes, IPFW can filter ARP traffic which passes by it in either a layer-3
> routing/firewall configuration, or even in a layer-2 bridging config.
>
> However, most people have lots of machines plugging into 24-port switches
> rather
> than into dedicated firewall ports on a machine running FreeBSD+IPFW. In
> practice, unless you are prepared to lockdown the switch ports to specific
> MAC
> addresses and monitor any trunk ports carefully, ARP spoofing attacks can
> still
> occur from local machines [1].
>
> --
> -Chuck
>
> [1]: "local" as opposed to say the interface on your side of your ISP's
> router
> being compromised and ARP'ing internal IPs to it's own interface to
> misdirect
> internal traffic. An IPFW firewall between your internal machines and the
> ISP
> would be effective in that case. But the anti-spoofing rulesets that are
> recommended would already guard against such things at the IP level.
>
More information about the freebsd-ipfw
mailing list