LnS for arp poison/arp virus

my rules:
1>if src_MAC == my_MAC
drop
2>if src_IP == my_Ip
drop
3>if dst_MAC == ff:ff:ff:ff:ff:ff && dst_IP != my_IP
drop
3>if src_IP != router_IP && src_MAC == router_MAC

 

Could you explain in detail why you believe this will help to protect against ARP poisoning and ARP viruses? I don't recall the ability to 'drop' ARP packets in LnS firewall, so wouldn't this block network access?

Can someone clarify this..

 

Hello,

ARP poisoning is a local issue. And if you're using a private IP address, then it's even less of an issue. Furthermore, arp is layer 2 communication, most "regular" firewalls can only control layer 3, so I'm not sure if this is possible ...

Besides, if you use static ARP/IP pairs, then there's nothing to worry about.

Mrk

 

http://www.mntolympus.org/SPFSPIFWS.html might help, take a gander.

 

Hello,
Do you mean by arp announcement - arp broadcast ("who has")?
If so, it's useful and there's no reason to block it on a trusted network.
Mrk

 

to Mrkvonic:
for arp spoof and cache poison.
to Phant0m:
cool link!
btw.the latest beta of your rules set has a small issue in offset.

but
i still have to send a repy package to my default gateway to tell it:
hi guy, my_ip is @ my_mac
damn it, have to use nemesis to finish this task under win32, i miss *nux.

 

can someone please explain how to add these rules
i'm a beginner
thanks inadvance

 

This can be done by standard rules (you don't need the raw rule edition plugin).
Just select Inbound, and then follow the instructions for the Ethernet and IP source address selections. In the drop box you will find "equal my @" / "different from my @" criteria.

Frederic

 

thanks Frederic

i understood that these 3 are 1 rule

1>if src_MAC == my_MAC
drop
2>if src_IP == my_Ip
drop
3>if dst_MAC == ff:ff:ff:ff:ff:ff && dst_IP != my_IP

now the fourth one is another rule
3>if src_IP != router_IP && src_MAC == router_MAC
but what will be the destination

 

For me you have 3 different rules for 1>, 2> and 3>.
For the second 3>, I'm not sure what was the real intention of dRag0nMa. If he wanted to indicate these packets have to be allowed, then the destination should my IP, or my MAC.

Frederic