Free Firewall that can filter ARP

Unfortunately there is no way I can see of creating a conditional rule for ARP.

Then ARP rules would need to be made to allow them.


- Stem

 

Meaning either allow or deny only? No outbound to blocked MAC?

 

Yes.

You are looking at allowing/blocking inbound ARP, so you either need to set rules to allow what you want (that then blocks all else) or block what is not wanted (which then allows all else)

ARP is required in both directions for LAN connections to work.


- Stem

 

Thanks for clarification Stem, but I guess it's only half of what I wanted. Let's say I'm looking for Layer 2 SPI, which I'm not sure if possible or if already have security tools out there that can do that.

Do you think CHX-I compliment CFP which I'm currently using or is it just redundant? Or any suggestion for better firewall to compliment CHX-I?

 

The ARP security tools currently available are mainly for protection against attack/spoofing, not for filtering specific addresses to allow/block.
Most firewall vendors attempt to make MAC filtering based on the same.
I have not yet seen a free firewall that will give you the MAC filtering that you require, as there would be a need for a state table for MAC filtering. to allow replies based on outbound.

Personally I would not advise you to install 2 firewalls/low level packet filters, there can be underlying conflicts.


- Stem

 

How can I check this?

 

Suggest you ask Stem about ARP filtering, he does know the technical details.

The issues you raise in your OP are important and answering them is above my pay scale. 1 in a 1000 understand ARP IMHO. If a free FW can do it good but when free that is what users sometimes get in value.

Lets wait for Stem's answers.

 

Hi Escalader,


Yes, I do know how ARP works, but most users are simply not interested in such low level filtering, they are, if at all, only concerned if a firewall will filter and protect on such a level.
I try not to get too technical with my replies, as it could cause more confusion, so I simply try to stay with replying to the OP question, which I think I have answered.

Those that are interested with ARP, then I would suggest setting up a sniffer on 1 or 2 of your PC`s on your own home LAN and then simply pinging the gateway(router) and other PC(s), you will soon see how ARP works ,.. there are of course various white papers and sites that will give info, but as to how a firewall handles ARP is best left to actual testing/checking rather than documentation.


Of course, If direct questions about ARP are given, then I certainly have no problem with giving direct technical replies with logs of such comms. But that would be for a new thread please.

- Stem

 

Hi Stem:

Been busy on another thread, so just read this.

Yes, I may very well be asking some direct questions on ARP on a new thread where we/you! could deal with "all things users wanted to ask about low level filtering" or some such wording.

More later

 

is this waht are you looking for ?



AntiARP's feature

The main features of AntiARP:

1. Intercept incoming ARP attack. Intercept incoming spurious ARP packets in OS kernel to protect system to ensure a correct local ARP cache table.
2. Intercept outgoing ARP attack. Intercept outgoing spurious ARP packets in OS kernel to reduce localhost's attacking others after affecting malicious programs.
3. Intercept IP conflict. Intercept ARP packets of Ip conflict in OS kernel to protect system from attack of IP conflict.
4. Active defence. Actively keep communication with gateway and send the correct MAC address to gateway to keep smooth internet connection and communication security.

Besides main features, there are AntiARP's assistant features which will help in the use of main features. They are:
1. Intelligent Defense. Can detect and react to the condition when only the gateway is being ARP spoofed.
2. Trusted Route Monitor. Can detect and react to condition when only the gateway is being ARP spoofed.
3. ARP viruses cleaner. Can locate the local viruses when the localhost has outgoing ARP attacks.
4. Prevent Dos attack. Intercept outgoing spurious DoS data packet of TCP SYN/UDP/ICMP/ARP in OS kernel, note the position of programs which send Dos attack maliciously, and ensure smooth internet connection.
5. Safety mode. Never response ARP request from other machine except gateway to have a hiding effect and reduce ARP attack.(Note :I think LNS can do this as well.)
6. ARP flow analysis. Analyze all ARP packets localhost receives, monitor internet and find out potential attacker or infected machine.
7. Monitor ARP cache table. Monitor and repair local ARP cache table automatically. If gateway's MAC address changed by malicious programs is found, alarms will ring and the false address will be fixed automatically.
8. Locate attacker. When the software is aware of attack, it will quickly locate the IP address of attacker.
9. Protect System Time. Prevent the system time from being changed by hostile programs so that to prevent the invalidation of guarding softwares.
10. IE startup page Protection. Prevent IE startup page being changed by hostile programs.
11. ARP cache table protection. Prevent ARP cache table being changed by hostile programs.
12. Self Protection. Prevent AntiARP itself being close by hostile programs.
13. Detect network management software in Local network, like netcut, etc.

http://www.antiarp.com/English/e_about.htm

this is an chinese arpfirewall, which is quite popular here.
the chinese version is free if you dont mind sacrificing your browser homepage
the english version should also be free, I think. but its 15 days free trial.
=( It is made-in-china