Good day everyone!

I'm currently using CFP and happy with it. IP/Port scanning from other pc's on the same subnet shows that I'm stealth. I can't use testing from sites such as GRC etc. because I'm behind s router. Yesterday, I scan again my pc from other pc using Colasoft MAC scanner, and to my surprise that other pc saw my ip and MAC. I asked on Comodo's forum if there's any way (a rule or anything) I should do to make me totally stealth to all pc's on my subnet other than the gateway and other trusted pc's, but I had learned that CFP as of v3 (not yet sure v3.5) does not support yet ARP filtering.

Sorry for the long intro :-[ , I just want recommendation for any good/free firewall that can handle ARP filtering. I've read about CHX-I but never tried it yet because i believe it's no longer being develop. I'm using WIPFW now (with CFP) but I don't see any ARP filtering rule.

Thank you very much in advance for any suggestion. More power!

I cant' figure this out, if you are behind a router with WAN ping disabled, your IP should be hidden.

Using Comodo Version 3 etc do the following: open the firewall GUI : Clk Firewall Tasks: Clk attack detection settings : Check Protect ARP Cache :
Check Block gratuitous Arp frames & Click apply. Click Miscellanous Check Block fragmented ip[ data grams & Do protocol analysis. Apply . Suggest you also use Peer Gaurdian.

You definitely should NOT mess with ARP unless you understand how is ARP working. All sorts of serious routing and thus network connectivity issues will be the result otherwise.

:blink: :o

PCTools Firewall Plus

Well, I really doubt the other people replying here know what they are talking about.

Neither CFP, nor PC Tools FW will make your machine invisible on your LAN (which clearly is the goal of the OP here, since "stealth" is not enough these days, we apparently need "super stealth" ::) ).

ARP filtering (such as the "Block Gratuitous ARP Frames") there does something completely different - e.g. the above CFP function will block "unsolicited" ARP packets (more precisely said, packets that are not sent in a reply to ARP request). Doing so can result in outdated ARP cache and broken routing e.g. in case you replace a NIC on another machine on the same subnet. The goal here is block potentially malicious updates of ARP cache stored on your box which could cause sort of a man-in-the-middle attack, definitely NOT to make your box super-invisible.

-{ Quote: "I cant' figure this out, if you are behind a router with WAN ping disabled, your IP should be hidden." }-

It's a company router, all the pc's involve are inside company's LAN. I scanned my pc from another pc on the same subnet using Colasoft MAC scanner and it is able to see my ip and MAC.

-{ Quote: "Using Comodo Version 3 etc do the following: open the firewall GUI : Clk Firewall Tasks: Clk attack detection settings : Check Protect ARP Cache :
Check Block gratuitous Arp frames & Click apply. Click Miscellanous Check Block fragmented ip[ data grams & Do protocol analysis. Apply . Suggest you also use Peer Gaurdian." }-

Both are already checked.

Regarding PeerGuardian, I'm using it before with CFP but there's no log for blocked/allowed ip's. I'm assuming CFP do the filtering first before it does. Please check https://forums.comodo.com/help_for_v3/peerguardian_still_needed-t27095.0.html that I also started.

-{ Quote: "It's a company router, all the pc's involve are inside company's LAN. I scanned my pc from another pc on the same subnet using Colasoft MAC scanner and it is able to see my ip and MAC.
" }-

Yeah, of course you are able to see your IP and MAC from LAN PCs on the same subnet - that's how switched ethernet works. There are legitimate goals to be attained by ARP filtering (such as prevention of ARP flood and/or ARP poisoning) and there are totally futile goals, such as the "super-stealthed mode" debated in this thread.

To make the long story short - please forget this if the only thing you are after is making your PC invisible on your LAN and move on.

-{ Quote: "Yeah, of course you are able to see your IP and MAC from LAN PCs on the same subnet - that's how switched ethernet works. There are legitimate goals to be attained by ARP filtering (such as prevention of ARP flood and/or ARP poisoning) and there are totally futile goals, such as the "super-stealthed mode" debated in this thread.

To make the long story short - please forget this if the only thing you are after is making your PC invisible on your LAN and move on." }-

Can't CHX-I, WIPFW or other layer 2 packet filter do it as I've read on some posts? No possibility at all?

Well, I guess I'm still unclear... Other things unchanged, discarding all ARP traffic will result in complete loss of your network connectivity, you can as well pull the network cable out. Should everyone implement this on your LAN, you'll be required to broadcast all packets received for your LAN to all hosts on that LAN, effectively meaning throw away all the nice switches and go back to stupid hubs, thus wasting network bandwidth in a horrible way and slowing down everything to a crawl. Where's the legitimate and useful purpose of this I totally fail to see.

-{ Quote: "Well, I guess I'm still unclear... Other things unchanged, discarding all ARP traffic will result in complete loss of your network connectivity," }-

I am unclear as to your reaction and your replies to the Op
The Op did not ask to block all ARP on the LAN, just a question if other PC`s on LAN could be blocked from scanning with such as "Colasoft MAC scanner"


- Stem

Hi Xthink, Welcome to Wilders,

I am just going to download the colasoft mac scanner now to check against CHX-I
Just give me a few minutes to setup.


- Stem

-{ Quote: "
The Op did not ask to block all ARP on the LAN, just a question if other PC`s on LAN could be blocked from scanning with such as "Colasoft MAC scanner"
" }-

Hmm?

-{ Quote: "
totally stealth to all pc's on my subnet other than the gateway and other trusted pc's
" }-

As explained above in detail, this doesn't serve any useful purpose and will cause more harm than it will solve.

-{ Quote: "this doesn't serve any useful purpose" }-It will block other PCs on LAN from scanning. That is what the OP wants, so it is useful to the OP
-{ Quote: "and will cause more harm than it will solve." }-Not if rules are correctly created.

-{ Quote: "Well, I guess I'm still unclear... Other things unchanged, discarding all ARP traffic will result in complete loss of your network connectivity, you can as well pull the network cable out. Should everyone implement this on your LAN, you'll be required to broadcast all packets received for your LAN to all hosts on that LAN, effectively meaning throw away all the nice switches and go back to stupid hubs, thus wasting network bandwidth in a horrible way and slowing down everything to a crawl. Where's the legitimate and useful purpose of this I totally fail to see." }-

Please bear with my ignorance and stubbornness :-[ .Quoted from an article I've read "... . Technically speaking, hubs operate using a broadcast model and switches operate using a virtual circuit model. When four computers are connected to a hub, for example, and two of those computers communicate with each other, hubs simply pass through all network traffic to each of the four computers. Switches, on the other hand, are capable of determining the destination of each individual traffic element (such as an Ethernet frame) and selectively forwarding data to the one computer that actually needs it. By generating less network traffic in delivering messages, a switch performs better than a hub on busy networks. "

If I understand it correctly, only the switch needs to know my ip and MAC, and it will be the one responsible to send/return request/data to/from my pc and other pc's on the network or on the internet. Other pc's on the LAN has nothing to do with it. Please shed light on this. Thank you for assistance.

Hi Xthink,

In answer to your question.

Yes, rules can be put in place in CHX-I so that only ARP from specific MAC addresses will be allowed, so those not allowed would be blocked. Which in effect can stop the colasoft MAC scanner from seeing you PC.


- Stem

-{ Quote: "Hi Xthink,

In answer to your question.

Yes, rules can be put in place in CHX-I so that only ARP from specific MAC addresses will be allowed, so those not allowed would be blocked. Which in effect can stop the colasoft MAC scanner from seeing you PC.


- Stem" }-

Thank for the reply Stem.

If I would only allow my gateway to see my MAC & ip, does it have any bad effect on my pc communicating to other pc's on the LAN or my internet connection? Is there a need to allow also our servers or the switch would take care of it? Could you please point me to CHX-I download and documentations?

CHX-I I believe is also free, right?

-{ Quote: "
If I understand it correctly, only the switch needs to know my ip and MAC, and it will be the one responsible to send/return request/data to/from my pc and other pc's on the network or on the internet. Other pc's on the LAN has nothing to do with it. Please shed light on this. Thank you for assistance." }-

I'd suggest starting with basics (http://en.wikipedia.org/wiki/Address_Resolution_Protocol#Packet_structure). You are only asking for networking trouble and achieving no additional security whatsoever.

-{ Quote: "If I would only allow my gateway to see my MAC & ip, does it have any bad effect on my pc communicating to other pc's on the LAN or my internet connection?" }-The direct filtering for ARP within CHX-I is limited. Placing rules to only allow ARP from specific PC`s will limit inbound/outbound to only those MAC addresses you place. I will check to see if any conditional rules can be put in place to allow outbound, but unsolicited inbound from MAC addresses not allowed would be blocked.
If you have a rule to only allow the gateway, then you would have no problem with connections to the Internet.


-{ Quote: " Is there a need to allow also our servers or the switch would take care of it?" }-Are the servers within the LAN?

-{ Quote: " Could you please point me to CHX-I download and documentations?

CHX-I I believe is also free, right?" }-CHX-I is free, but there is no longer a download available (that I know of). Some users have uploaded CHX to file sharing servers, but unsure of those links or if they are still active. I could upload the version I have to rapidshare if required.

- Stem

I have compiled an archive of all IDRCI software I have copies of:


Download link: http://www.mediafire.com/?sharekey=775e10bee7acd4a7ab1eab3e9fa335caa6e3f5bae0a54b62
The file "chx3.0.msi" is the firewall you want.
The folder "3.0 driver update" has updated drivers released by Stefan (programmer of this firewall) and includes instructions on how to update.
There are other utilities there from IDRCI if you are interested in checking them out.

If I remember correctly Kerio (now Sunbelt) has inbuilt rules for TCP, UDP, ICMP and ARP. So if the scenario you mention is not covered, maybe you can add a manual rule for the same.

If you look beyond free products, there are other products which I know can protect against ARP. Jetico v2, has something called ARP SPI.
And for enterprise I have used eConceal Pro which has rulset ability for virtually every protocol imaginable.

Protoport can filter ARP, you can even create rules for ARP like you do for TCP, but it cost money ,here: http://www.protoport.com/index.firewall

screenie:
202894

-{ Quote: "I have compiled an archive of all IDRCI software I have copies of:


Download link: http://www.mediafire.com/?sharekey=775e10bee7acd4a7ab1eab3e9fa335caa6e3f5bae0a54b62
The file "chx3.0.msi" is the firewall you want.
The folder "3.0 driver update" has updated drivers released by Stefan (programmer of this firewall) and includes instructions on how to update.
There are other utilities there from IDRCI if you are interested in checking them out." }-

Thanks a lot for the link AJohn. I will try it out. Any other links for documentation/rule building tutorial?

-{ Quote: "I will check to see if any conditional rules can be put in place to allow outbound, but unsolicited inbound from MAC addresses not allowed would be blocked.
If you have a rule to only allow the gateway, then you would have no problem with connections to the Internet." }-

That is what I want, to block all unsolicited inbound but allow the traffic I initiate.

-{ Quote: "Are the servers within the LAN?" }-

Servers are within the LAN.

Thanks vijayind, but I believe Kerio is no longer updated (if your talking about 2.15?) and the driver might be incompatible to new drivers of SP2 or SP3. Besides, bugs are no longer fixed. Jetico 2 I think is not free.

Einsturzende, Protoport will cause fortune for me. It will only be for personal use. Thanks anyway.

Here is a link to a locally hosted ruleset released by Stef. It is made as a quickstarter for workstations: http://www.wilderssecurity.com/attachment.php?attachmentid=181269&d=1152979143

Here is the thread I found the link in: http://www.wilderssecurity.com/showthread.php?t=139070

Here are more: http://www.wilderssecurity.com/search.php?searchid=2474918

-{ Quote: "
Thanks vijayind, but I believe Kerio is no longer updated (if your talking about 2.15?) and the driver might be incompatible to new drivers of SP2 or SP3. Besides, bugs are no longer fixed. Jetico 2 I think is not free.
" }-
I meant Kerio PF now Sunbelt PF.
See here: http://www.pcauthority.com.au/Download/76249,sunbelt-kerio-personal-firewall-43744.aspx

I asked one of my friends. He told me about this PF called SoftPerfect Personal Firewall.
-{ Quote: "
The SoftPerfect Personal Firewall is a free network firewall designed to protect your PC against attacks from the Internet or via a local area network. SoftPerfect Personal Firewall offers customizable security using user-defined rules for packet filtering. It works at a low level and also allows you to create rules based on non-IP protocols such as ARP.
" }-

http://www.softperfect.com/products/firewall/

-{ Quote: "I will check to see if any conditional rules can be put in place to allow outbound, but unsolicited inbound from MAC addresses not allowed would be blocked.-{ Quote: "That is what I want, to block all unsolicited inbound but allow the traffic I initiate." }-" }-Unfortunately there is no way I can see of creating a conditional rule for ARP.


-{ Quote: "Servers are within the LAN." }-Then ARP rules would need to be made to allow them.


- Stem

-{ Quote: "Unfortunately there is no way I can see of creating a conditional rule for ARP.

- Stem" }-

Meaning either allow or deny only? No outbound to blocked MAC?

-{ Quote: "Meaning either allow or deny only? " }-Yes.

You are looking at allowing/blocking inbound ARP, so you either need to set rules to allow what you want (that then blocks all else) or block what is not wanted (which then allows all else)



-{ Quote: "No outbound to blocked MAC?" }-ARP is required in both directions for LAN connections to work.


- Stem

Thanks for clarification Stem, but I guess it's only half of what I wanted. Let's say I'm looking for Layer 2 SPI, which I'm not sure if possible or if already have security tools out there that can do that.

Do you think CHX-I compliment CFP which I'm currently using or is it just redundant? Or any suggestion for better firewall to compliment CHX-I?

-{ Quote: "Let's say I'm looking for Layer 2 SPI, which I'm not sure if possible or if already have security tools out there that can do that." }-The ARP security tools currently available are mainly for protection against attack/spoofing, not for filtering specific addresses to allow/block.
Most firewall vendors attempt to make MAC filtering based on the same.
I have not yet seen a free firewall that will give you the MAC filtering that you require, as there would be a need for a state table for MAC filtering. to allow replies based on outbound.

-{ Quote: "Do you think CHX-I compliment CFP which I'm currently using or is it just redundant? Or any suggestion for better firewall to compliment CHX-I?" }-Personally I would not advise you to install 2 firewalls/low level packet filters, there can be underlying conflicts.


- Stem

-{ Quote: "I cant' figure this out, if you are behind a router with WAN ping disabled, your IP should be hidden." }-

How can I check this?

-{ Quote: "Well, I really doubt the other people replying here know what they are talking about.

Neither CFP, nor PC Tools FW will make your machine invisible on your LAN (which clearly is the goal of the OP here, since "stealth" is not enough these days, we apparently need "super stealth" ::) ).

ARP filtering (such as the "Block Gratuitous ARP Frames") there does something completely different - e.g. the above CFP function will block "unsolicited" ARP packets (more precisely said, packets that are not sent in a reply to ARP request). Doing so can result in outdated ARP cache and broken routing e.g. in case you replace a NIC on another machine on the same subnet. The goal here is block potentially malicious updates of ARP cache stored on your box which could cause sort of a man-in-the-middle attack, definitely NOT to make your box super-invisible." }-


Suggest you ask Stem about ARP filtering, he does know the technical details.

The issues you raise in your OP are important and answering them is above my pay scale. 1 in a 1000 understand ARP IMHO. If a free FW can do it good but when free that is what users sometimes get in value.

Lets wait for Stem's answers.

-{ Quote: "....he does know the technical details.

" }-

Hi Escalader,


Yes, I do know how ARP works, but most users are simply not interested in such low level filtering, they are, if at all, only concerned if a firewall will filter and protect on such a level.
I try not to get too technical with my replies, as it could cause more confusion, so I simply try to stay with replying to the OP question, which I think I have answered.

Those that are interested with ARP, then I would suggest setting up a sniffer on 1 or 2 of your PC`s on your own home LAN and then simply pinging the gateway(router) and other PC(s), you will soon see how ARP works ,.. there are of course various white papers and sites that will give info, but as to how a firewall handles ARP is best left to actual testing/checking rather than documentation.


Of course, If direct questions about ARP are given, then I certainly have no problem with giving direct technical replies with logs of such comms. But that would be for a new thread please.

- Stem

-{ Quote: "Hi Escalader,


Yes, I do know how ARP works, but most users are simply not interested in such low level filtering, they are, if at all, only concerned if a firewall will filter and protect on such a level.
I try not to get too technical with my replies, as it could cause more confusion, so I simply try to stay with replying to the OP question, which I think I have answered.

Those that are interested with ARP, then I would suggest setting up a sniffer on 1 or 2 of your PC`s on your own home LAN and then simply pinging the gateway(router) and other PC(s), you will soon see how ARP works ,.. there are of course various white papers and sites that will give info, but as to how a firewall handles ARP is best left to actual testing/checking rather than documentation.


Of course, If direct questions about ARP are given, then I certainly have no problem with giving direct technical replies with logs of such comms. But that would be for a new thread please.

- Stem" }-


Hi Stem:

Been busy on another thread, so just read this.

Yes, I may very well be asking some direct questions on ARP on a new thread where we/you! could deal with "all things users wanted to ask about low level filtering" or some such wording.

More later

is this waht are you looking for ?



AntiARP's feature

The main features of AntiARP:

1. Intercept incoming ARP attack. Intercept incoming spurious ARP packets in OS kernel to protect system to ensure a correct local ARP cache table.
2. Intercept outgoing ARP attack. Intercept outgoing spurious ARP packets in OS kernel to reduce localhost's attacking others after affecting malicious programs.
3. Intercept IP conflict. Intercept ARP packets of Ip conflict in OS kernel to protect system from attack of IP conflict.
4. Active defence. Actively keep communication with gateway and send the correct MAC address to gateway to keep smooth internet connection and communication security.

Besides main features, there are AntiARP's assistant features which will help in the use of main features. They are:
1. Intelligent Defense. Can detect and react to the condition when only the gateway is being ARP spoofed.
2. Trusted Route Monitor. Can detect and react to condition when only the gateway is being ARP spoofed.
3. ARP viruses cleaner. Can locate the local viruses when the localhost has outgoing ARP attacks.
4. Prevent Dos attack. Intercept outgoing spurious DoS data packet of TCP SYN/UDP/ICMP/ARP in OS kernel, note the position of programs which send Dos attack maliciously, and ensure smooth internet connection.
5. Safety mode. Never response ARP request from other machine except gateway to have a hiding effect and reduce ARP attack.(Note :I think LNS can do this as well.)
6. ARP flow analysis. Analyze all ARP packets localhost receives, monitor internet and find out potential attacker or infected machine.
7. Monitor ARP cache table. Monitor and repair local ARP cache table automatically. If gateway's MAC address changed by malicious programs is found, alarms will ring and the false address will be fixed automatically.
8. Locate attacker. When the software is aware of attack, it will quickly locate the IP address of attacker.
9. Protect System Time. Prevent the system time from being changed by hostile programs so that to prevent the invalidation of guarding softwares.
10. IE startup page Protection. Prevent IE startup page being changed by hostile programs.
11. ARP cache table protection. Prevent ARP cache table being changed by hostile programs.
12. Self Protection. Prevent AntiARP itself being close by hostile programs.
13. Detect network management software in Local network, like netcut, etc.

http://www.antiarp.com/English/e_about.htm

this is an chinese arpfirewall, which is quite popular here.
the chinese version is free if you dont mind sacrificing your browser homepage
the english version should also be free, I think. but its 15 days free trial.
=( It is made-in-china