LnS for arp poison/arp virus

Discussion in 'LnS English Forum' started by dRag0nMa, Jun 17, 2008.

Thread Status:
Not open for further replies.
  1. dRag0nMa

    dRag0nMa Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    79
    Location:
    SH China
    my rules:
    1>if src_MAC == my_MAC
    drop
    2>if src_IP == my_Ip
    drop
    3>if dst_MAC == ff:ff:ff:ff:ff:ff && dst_IP != my_IP
    drop
    3>if src_IP != router_IP && src_MAC == router_MAC
     
  2. daniel952

    daniel952 Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    71

    Could you explain in detail why you believe this will help to protect against ARP poisoning and ARP viruses? I don't recall the ability to 'drop' ARP packets in LnS firewall, so wouldn't this block network access?

    Can someone clarify this..
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,

    ARP poisoning is a local issue. And if you're using a private IP address, then it's even less of an issue. Furthermore, arp is layer 2 communication, most "regular" firewalls can only control layer 3, so I'm not sure if this is possible ...

    Besides, if you use static ARP/IP pairs, then there's nothing to worry about.

    Mrk
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    Do you mean by arp announcement - arp broadcast ("who has")?
    If so, it's useful and there's no reason to block it on a trusted network.
    Mrk
     
  6. dRag0nMa

    dRag0nMa Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    79
    Location:
    SH China
    to Mrkvonic:
    for arp spoof and cache poison.
    to Phant0m:
    cool link!
    btw.the latest beta of your rules set has a small issue in offset.

    but
    i still have to send a repy package to my default gateway to tell it:
    hi guy, my_ip is @ my_mac
    damn it, have to use nemesis to finish this task under win32, i miss *nux.
     
  7. Accelerator

    Accelerator Registered Member

    Joined:
    Sep 25, 2008
    Posts:
    2
    can someone please explain how to add these rules
    i'm a beginner
    thanks inadvance
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    This can be done by standard rules (you don't need the raw rule edition plugin).
    Just select Inbound, and then follow the instructions for the Ethernet and IP source address selections. In the drop box you will find "equal my @" / "different from my @" criteria.

    Frederic
     
  9. Accelerator

    Accelerator Registered Member

    Joined:
    Sep 25, 2008
    Posts:
    2
    thanks Frederic

    i understood that these 3 are 1 rule

    1>if src_MAC == my_MAC
    drop
    2>if src_IP == my_Ip
    drop
    3>if dst_MAC == ff:ff:ff:ff:ff:ff && dst_IP != my_IP

    now the fourth one is another rule
    3>if src_IP != router_IP && src_MAC == router_MAC
    but what will be the destination
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    For me you have 3 different rules for 1>, 2> and 3>.
    For the second 3>, I'm not sure what was the real intention of dRag0nMa. If he wanted to indicate these packets have to be allowed, then the destination should my IP, or my MAC.

    Frederic
     
Thread Status:
Not open for further replies.