Free Firewall that can filter ARP

Discussion in 'other firewalls' started by Xthink, Sep 13, 2008.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Unfortunately there is no way I can see of creating a conditional rule for ARP.


    Then ARP rules would need to be made to allow them.


    - Stem
     
  2. Xthink

    Xthink Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    11
    Meaning either allow or deny only? No outbound to blocked MAC?
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes.

    You are looking at allowing/blocking inbound ARP, so you either need to set rules to allow what you want (that then blocks all else) or block what is not wanted (which then allows all else)



    ARP is required in both directions for LAN connections to work.


    - Stem
     
  4. Xthink

    Xthink Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    11
    Thanks for clarification Stem, but I guess it's only half of what I wanted. Let's say I'm looking for Layer 2 SPI, which I'm not sure if possible or if already have security tools out there that can do that.

    Do you think CHX-I compliment CFP which I'm currently using or is it just redundant? Or any suggestion for better firewall to compliment CHX-I?
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The ARP security tools currently available are mainly for protection against attack/spoofing, not for filtering specific addresses to allow/block.
    Most firewall vendors attempt to make MAC filtering based on the same.
    I have not yet seen a free firewall that will give you the MAC filtering that you require, as there would be a need for a state table for MAC filtering. to allow replies based on outbound.

    Personally I would not advise you to install 2 firewalls/low level packet filters, there can be underlying conflicts.


    - Stem
     
  6. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    How can I check this?
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Suggest you ask Stem about ARP filtering, he does know the technical details.

    The issues you raise in your OP are important and answering them is above my pay scale. 1 in a 1000 understand ARP IMHO. If a free FW can do it good but when free that is what users sometimes get in value.

    Lets wait for Stem's answers.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Escalader,


    Yes, I do know how ARP works, but most users are simply not interested in such low level filtering, they are, if at all, only concerned if a firewall will filter and protect on such a level.
    I try not to get too technical with my replies, as it could cause more confusion, so I simply try to stay with replying to the OP question, which I think I have answered.

    Those that are interested with ARP, then I would suggest setting up a sniffer on 1 or 2 of your PC`s on your own home LAN and then simply pinging the gateway(router) and other PC(s), you will soon see how ARP works ,.. there are of course various white papers and sites that will give info, but as to how a firewall handles ARP is best left to actual testing/checking rather than documentation.


    Of course, If direct questions about ARP are given, then I certainly have no problem with giving direct technical replies with logs of such comms. But that would be for a new thread please.

    - Stem
     
  9. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hi Stem:

    Been busy on another thread, so just read this.

    Yes, I may very well be asking some direct questions on ARP on a new thread where we/you! could deal with "all things users wanted to ask about low level filtering" or some such wording.

    More later
     
  10. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    is this waht are you looking for ?



    AntiARP's feature

    The main features of AntiARP:

    1. Intercept incoming ARP attack. Intercept incoming spurious ARP packets in OS kernel to protect system to ensure a correct local ARP cache table.
    2. Intercept outgoing ARP attack. Intercept outgoing spurious ARP packets in OS kernel to reduce localhost's attacking others after affecting malicious programs.
    3. Intercept IP conflict. Intercept ARP packets of Ip conflict in OS kernel to protect system from attack of IP conflict.
    4. Active defence. Actively keep communication with gateway and send the correct MAC address to gateway to keep smooth internet connection and communication security.

    Besides main features, there are AntiARP's assistant features which will help in the use of main features. They are:
    1. Intelligent Defense. Can detect and react to the condition when only the gateway is being ARP spoofed.
    2. Trusted Route Monitor. Can detect and react to condition when only the gateway is being ARP spoofed.
    3. ARP viruses cleaner. Can locate the local viruses when the localhost has outgoing ARP attacks.
    4. Prevent Dos attack. Intercept outgoing spurious DoS data packet of TCP SYN/UDP/ICMP/ARP in OS kernel, note the position of programs which send Dos attack maliciously, and ensure smooth internet connection.
    5. Safety mode. Never response ARP request from other machine except gateway to have a hiding effect and reduce ARP attack.(Note :I think LNS can do this as well.)
    6. ARP flow analysis. Analyze all ARP packets localhost receives, monitor internet and find out potential attacker or infected machine.
    7. Monitor ARP cache table. Monitor and repair local ARP cache table automatically. If gateway's MAC address changed by malicious programs is found, alarms will ring and the false address will be fixed automatically.
    8. Locate attacker. When the software is aware of attack, it will quickly locate the IP address of attacker.
    9. Protect System Time. Prevent the system time from being changed by hostile programs so that to prevent the invalidation of guarding softwares.
    10. IE startup page Protection. Prevent IE startup page being changed by hostile programs.
    11. ARP cache table protection. Prevent ARP cache table being changed by hostile programs.
    12. Self Protection. Prevent AntiARP itself being close by hostile programs.
    13. Detect network management software in Local network, like netcut, etc.

    http://www.antiarp.com/English/e_about.htm

    this is an chinese arpfirewall, which is quite popular here.
    the chinese version is free if you dont mind sacrificing your browser homepage
    the english version should also be free, I think. but its 15 days free trial.
    =( It is made-in-china
     
    Last edited: Sep 21, 2008
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.