Free Firewall that can filter ARP

Discussion in 'other firewalls' started by Xthink, Sep 13, 2008.

Thread Status:
Not open for further replies.
  1. Xthink

    Xthink Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    11
    Good day everyone!

    I'm currently using CFP and happy with it. IP/Port scanning from other pc's on the same subnet shows that I'm stealth. I can't use testing from sites such as GRC etc. because I'm behind s router. Yesterday, I scan again my pc from other pc using Colasoft MAC scanner, and to my surprise that other pc saw my ip and MAC. I asked on Comodo's forum if there's any way (a rule or anything) I should do to make me totally stealth to all pc's on my subnet other than the gateway and other trusted pc's, but I had learned that CFP as of v3 (not yet sure v3.5) does not support yet ARP filtering.

    Sorry for the long intro :oops: , I just want recommendation for any good/free firewall that can handle ARP filtering. I've read about CHX-I but never tried it yet because i believe it's no longer being develop. I'm using WIPFW now (with CFP) but I don't see any ARP filtering rule.

    Thank you very much in advance for any suggestion. More power!
     
  2. Arup

    Arup Guest

    I cant' figure this out, if you are behind a router with WAN ping disabled, your IP should be hidden.
     
  3. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    Using Comodo Version 3 etc do the following: open the firewall GUI : Clk Firewall Tasks: Clk attack detection settings : Check Protect ARP Cache :
    Check Block gratuitous Arp frames & Click apply. Click Miscellanous Check Block fragmented ip[ data grams & Do protocol analysis. Apply . Suggest you also use Peer Gaurdian.
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    You definitely should NOT mess with ARP unless you understand how is ARP working. All sorts of serious routing and thus network connectivity issues will be the result otherwise.

    :blink: :eek:
     
  5. nomarjr3

    nomarjr3 Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    502
    PCTools Firewall Plus
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, I really doubt the other people replying here know what they are talking about.

    Neither CFP, nor PC Tools FW will make your machine invisible on your LAN (which clearly is the goal of the OP here, since "stealth" is not enough these days, we apparently need "super stealth" :rolleyes: ).

    ARP filtering (such as the "Block Gratuitous ARP Frames") there does something completely different - e.g. the above CFP function will block "unsolicited" ARP packets (more precisely said, packets that are not sent in a reply to ARP request). Doing so can result in outdated ARP cache and broken routing e.g. in case you replace a NIC on another machine on the same subnet. The goal here is block potentially malicious updates of ARP cache stored on your box which could cause sort of a man-in-the-middle attack, definitely NOT to make your box super-invisible.
     
  7. Xthink

    Xthink Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    11
    It's a company router, all the pc's involve are inside company's LAN. I scanned my pc from another pc on the same subnet using Colasoft MAC scanner and it is able to see my ip and MAC.

    Both are already checked.

    Regarding PeerGuardian, I'm using it before with CFP but there's no log for blocked/allowed ip's. I'm assuming CFP do the filtering first before it does. Please check https://forums.comodo.com/help_for_v3/peerguardian_still_needed-t27095.0.html that I also started.
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yeah, of course you are able to see your IP and MAC from LAN PCs on the same subnet - that's how switched ethernet works. There are legitimate goals to be attained by ARP filtering (such as prevention of ARP flood and/or ARP poisoning) and there are totally futile goals, such as the "super-stealthed mode" debated in this thread.

    To make the long story short - please forget this if the only thing you are after is making your PC invisible on your LAN and move on.
     
  9. Xthink

    Xthink Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    11
    Can't CHX-I, WIPFW or other layer 2 packet filter do it as I've read on some posts? No possibility at all?
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, I guess I'm still unclear... Other things unchanged, discarding all ARP traffic will result in complete loss of your network connectivity, you can as well pull the network cable out. Should everyone implement this on your LAN, you'll be required to broadcast all packets received for your LAN to all hosts on that LAN, effectively meaning throw away all the nice switches and go back to stupid hubs, thus wasting network bandwidth in a horrible way and slowing down everything to a crawl. Where's the legitimate and useful purpose of this I totally fail to see.
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I am unclear as to your reaction and your replies to the Op
    The Op did not ask to block all ARP on the LAN, just a question if other PC`s on LAN could be blocked from scanning with such as "Colasoft MAC scanner"


    - Stem
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Xthink, Welcome to Wilders,

    I am just going to download the colasoft mac scanner now to check against CHX-I
    Just give me a few minutes to setup.


    - Stem
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Hmm?

    As explained above in detail, this doesn't serve any useful purpose and will cause more harm than it will solve.
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It will block other PCs on LAN from scanning. That is what the OP wants, so it is useful to the OP
    Not if rules are correctly created.
     
  15. Xthink

    Xthink Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    11
    Please bear with my ignorance and stubbornness :oops: .Quoted from an article I've read "... . Technically speaking, hubs operate using a broadcast model and switches operate using a virtual circuit model. When four computers are connected to a hub, for example, and two of those computers communicate with each other, hubs simply pass through all network traffic to each of the four computers. Switches, on the other hand, are capable of determining the destination of each individual traffic element (such as an Ethernet frame) and selectively forwarding data to the one computer that actually needs it. By generating less network traffic in delivering messages, a switch performs better than a hub on busy networks. "

    If I understand it correctly, only the switch needs to know my ip and MAC, and it will be the one responsible to send/return request/data to/from my pc and other pc's on the network or on the internet. Other pc's on the LAN has nothing to do with it. Please shed light on this. Thank you for assistance.
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Xthink,

    In answer to your question.

    Yes, rules can be put in place in CHX-I so that only ARP from specific MAC addresses will be allowed, so those not allowed would be blocked. Which in effect can stop the colasoft MAC scanner from seeing you PC.


    - Stem
     
  17. Xthink

    Xthink Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    11
    Thank for the reply Stem.

    If I would only allow my gateway to see my MAC & ip, does it have any bad effect on my pc communicating to other pc's on the LAN or my internet connection? Is there a need to allow also our servers or the switch would take care of it? Could you please point me to CHX-I download and documentations?

    CHX-I I believe is also free, right?
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I'd suggest starting with basics. You are only asking for networking trouble and achieving no additional security whatsoever.
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The direct filtering for ARP within CHX-I is limited. Placing rules to only allow ARP from specific PC`s will limit inbound/outbound to only those MAC addresses you place. I will check to see if any conditional rules can be put in place to allow outbound, but unsolicited inbound from MAC addresses not allowed would be blocked.
    If you have a rule to only allow the gateway, then you would have no problem with connections to the Internet.


    Are the servers within the LAN?

    CHX-I is free, but there is no longer a download available (that I know of). Some users have uploaded CHX to file sharing servers, but unsure of those links or if they are still active. I could upload the version I have to rapidshare if required.

    - Stem
     
  20. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I have compiled an archive of all IDRCI software I have copies of:

     
  21. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    If I remember correctly Kerio (now Sunbelt) has inbuilt rules for TCP, UDP, ICMP and ARP. So if the scenario you mention is not covered, maybe you can add a manual rule for the same.

    If you look beyond free products, there are other products which I know can protect against ARP. Jetico v2, has something called ARP SPI.
    And for enterprise I have used eConceal Pro which has rulset ability for virtually every protocol imaginable.
     
  22. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
  23. Xthink

    Xthink Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    11
    Thanks a lot for the link AJohn. I will try it out. Any other links for documentation/rule building tutorial?

    That is what I want, to block all unsolicited inbound but allow the traffic I initiate.

    Servers are within the LAN.

    Thanks vijayind, but I believe Kerio is no longer updated (if your talking about 2.15?) and the driver might be incompatible to new drivers of SP2 or SP3. Besides, bugs are no longer fixed. Jetico 2 I think is not free.

    Einsturzende, Protoport will cause fortune for me. It will only be for personal use. Thanks anyway.
     
  24. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
  25. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    I meant Kerio PF now Sunbelt PF.
    See here: http://www.pcauthority.com.au/Download/76249,sunbelt-kerio-personal-firewall-43744.aspx

    I asked one of my friends. He told me about this PF called SoftPerfect Personal Firewall.
    http://www.softperfect.com/products/firewall/
     
Loading...
Thread Status:
Not open for further replies.