Free Firewall that can filter ARP

Good day everyone!

I'm currently using CFP and happy with it. IP/Port scanning from other pc's on the same subnet shows that I'm stealth. I can't use testing from sites such as GRC etc. because I'm behind s router. Yesterday, I scan again my pc from other pc using Colasoft MAC scanner, and to my surprise that other pc saw my ip and MAC. I asked on Comodo's forum if there's any way (a rule or anything) I should do to make me totally stealth to all pc's on my subnet other than the gateway and other trusted pc's, but I had learned that CFP as of v3 (not yet sure v3.5) does not support yet ARP filtering.

Sorry for the long intro , I just want recommendation for any good/free firewall that can handle ARP filtering. I've read about CHX-I but never tried it yet because i believe it's no longer being develop. I'm using WIPFW now (with CFP) but I don't see any ARP filtering rule.

Thank you very much in advance for any suggestion. More power!

 

I cant' figure this out, if you are behind a router with WAN ping disabled, your IP should be hidden.

 

Using Comodo Version 3 etc do the following: open the firewall GUI : Clk Firewall Tasks: Clk attack detection settings : Check Protect ARP Cache :
Check Block gratuitous Arp frames & Click apply. Click Miscellanous Check Block fragmented ip[ data grams & Do protocol analysis. Apply . Suggest you also use Peer Gaurdian.

 

You definitely should NOT mess with ARP unless you understand how is ARP working. All sorts of serious routing and thus network connectivity issues will be the result otherwise.

 

PCTools Firewall Plus

 

Well, I really doubt the other people replying here know what they are talking about.

Neither CFP, nor PC Tools FW will make your machine invisible on your LAN (which clearly is the goal of the OP here, since "stealth" is not enough these days, we apparently need "super stealth" ).

ARP filtering (such as the "Block Gratuitous ARP Frames") there does something completely different - e.g. the above CFP function will block "unsolicited" ARP packets (more precisely said, packets that are not sent in a reply to ARP request). Doing so can result in outdated ARP cache and broken routing e.g. in case you replace a NIC on another machine on the same subnet. The goal here is block potentially malicious updates of ARP cache stored on your box which could cause sort of a man-in-the-middle attack, definitely NOT to make your box super-invisible.

 

It's a company router, all the pc's involve are inside company's LAN. I scanned my pc from another pc on the same subnet using Colasoft MAC scanner and it is able to see my ip and MAC.

Both are already checked.

Regarding PeerGuardian, I'm using it before with CFP but there's no log for blocked/allowed ip's. I'm assuming CFP do the filtering first before it does. Please check https://forums.comodo.com/help_for_v3/peerguardian_still_needed-t27095.0.html that I also started.

 

Yeah, of course you are able to see your IP and MAC from LAN PCs on the same subnet - that's how switched ethernet works. There are legitimate goals to be attained by ARP filtering (such as prevention of ARP flood and/or ARP poisoning) and there are totally futile goals, such as the "super-stealthed mode" debated in this thread.

To make the long story short - please forget this if the only thing you are after is making your PC invisible on your LAN and move on.

 

Can't CHX-I, WIPFW or other layer 2 packet filter do it as I've read on some posts? No possibility at all?

 

Well, I guess I'm still unclear... Other things unchanged, discarding all ARP traffic will result in complete loss of your network connectivity, you can as well pull the network cable out. Should everyone implement this on your LAN, you'll be required to broadcast all packets received for your LAN to all hosts on that LAN, effectively meaning throw away all the nice switches and go back to stupid hubs, thus wasting network bandwidth in a horrible way and slowing down everything to a crawl. Where's the legitimate and useful purpose of this I totally fail to see.

 

I am unclear as to your reaction and your replies to the Op
The Op did not ask to block all ARP on the LAN, just a question if other PC`s on LAN could be blocked from scanning with such as "Colasoft MAC scanner"


- Stem

 

Hi Xthink, Welcome to Wilders,

I am just going to download the colasoft mac scanner now to check against CHX-I
Just give me a few minutes to setup.


- Stem

 

Hmm?

As explained above in detail, this doesn't serve any useful purpose and will cause more harm than it will solve.

 

It will block other PCs on LAN from scanning. That is what the OP wants, so it is useful to the OP

Not if rules are correctly created.

 

Please bear with my ignorance and stubbornness .Quoted from an article I've read "... . Technically speaking, hubs operate using a broadcast model and switches operate using a virtual circuit model. When four computers are connected to a hub, for example, and two of those computers communicate with each other, hubs simply pass through all network traffic to each of the four computers. Switches, on the other hand, are capable of determining the destination of each individual traffic element (such as an Ethernet frame) and selectively forwarding data to the one computer that actually needs it. By generating less network traffic in delivering messages, a switch performs better than a hub on busy networks. "

If I understand it correctly, only the switch needs to know my ip and MAC, and it will be the one responsible to send/return request/data to/from my pc and other pc's on the network or on the internet. Other pc's on the LAN has nothing to do with it. Please shed light on this. Thank you for assistance.

 

Hi Xthink,

In answer to your question.

Yes, rules can be put in place in CHX-I so that only ARP from specific MAC addresses will be allowed, so those not allowed would be blocked. Which in effect can stop the colasoft MAC scanner from seeing you PC.


- Stem

 

Thank for the reply Stem.

If I would only allow my gateway to see my MAC & ip, does it have any bad effect on my pc communicating to other pc's on the LAN or my internet connection? Is there a need to allow also our servers or the switch would take care of it? Could you please point me to CHX-I download and documentations?

CHX-I I believe is also free, right?

 

I'd suggest starting with basics. You are only asking for networking trouble and achieving no additional security whatsoever.

 

The direct filtering for ARP within CHX-I is limited. Placing rules to only allow ARP from specific PC`s will limit inbound/outbound to only those MAC addresses you place. I will check to see if any conditional rules can be put in place to allow outbound, but unsolicited inbound from MAC addresses not allowed would be blocked.
If you have a rule to only allow the gateway, then you would have no problem with connections to the Internet.

Are the servers within the LAN?

CHX-I is free, but there is no longer a download available (that I know of). Some users have uploaded CHX to file sharing servers, but unsure of those links or if they are still active. I could upload the version I have to rapidshare if required.

- Stem

 

I have compiled an archive of all IDRCI software I have copies of:

• Download link: http://www.mediafire.com/?sharekey=775e10bee7acd4a7ab1eab3e9fa335caa6e3f5bae0a54b62
• The file "chx3.0.msi" is the firewall you want.
• The folder "3.0 driver update" has updated drivers released by Stefan (programmer of this firewall) and includes instructions on how to update.
• There are other utilities there from IDRCI if you are interested in checking them out.

 

If I remember correctly Kerio (now Sunbelt) has inbuilt rules for TCP, UDP, ICMP and ARP. So if the scenario you mention is not covered, maybe you can add a manual rule for the same.

If you look beyond free products, there are other products which I know can protect against ARP. Jetico v2, has something called ARP SPI.
And for enterprise I have used eConceal Pro which has rulset ability for virtually every protocol imaginable.

 

Protoport can filter ARP, you can even create rules for ARP like you do for TCP, but it cost money ,here: http://www.protoport.com/index.firewall

screenie:

 

Thanks a lot for the link AJohn. I will try it out. Any other links for documentation/rule building tutorial?

That is what I want, to block all unsolicited inbound but allow the traffic I initiate.

Servers are within the LAN.

Thanks vijayind, but I believe Kerio is no longer updated (if your talking about 2.15?) and the driver might be incompatible to new drivers of SP2 or SP3. Besides, bugs are no longer fixed. Jetico 2 I think is not free.

Einsturzende, Protoport will cause fortune for me. It will only be for personal use. Thanks anyway.

 

Here is a link to a locally hosted ruleset released by Stef. It is made as a quickstarter for workstations: https://www.wilderssecurity.com/attachment.php?attachmentid=181269&d=1152979143

Here is the thread I found the link in: https://www.wilderssecurity.com/showthread.php?t=139070

Here are more: https://www.wilderssecurity.com/search.php?searchid=2474918

 

I meant Kerio PF now Sunbelt PF.
See here: http://www.pcauthority.com.au/Download/76249,sunbelt-kerio-personal-firewall-43744.aspx

I asked one of my friends. He told me about this PF called SoftPerfect Personal Firewall.

http://www.softperfect.com/products/firewall/