Locking down ARP and DNS

Discussion in 'LnS English Forum' started by daniel952, Oct 30, 2010.

Thread Status:
Not open for further replies.
  1. daniel952

    daniel952 Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    71
    I'm looking for help in locking down ARP and DNS rules to prevent MITM attacks.
    I've heard mention of https from point to point, but I don't know how to create rules in LnS that would make use of its granularity. Because of the concerns mentioned, I am hesitant to make purchases online.
    How can I better secure ARP and DNS using the granular features of LnS?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Have a look at this thread

    On post #8 you will find download links for the SPF rules for DNS/DHCP/ARP and a rule for ARP anti-spoofing of gateway(you need to add details of the gateway mac/ip: instructions in that thread).



    - Stem
     
  3. daniel952

    daniel952 Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    71
    Stem,

    Thanks for the very informative post and reference, however I have a few questions for you or Frederic, or anyone else here that might have ideas about the proper use of the raw rules plugin.

    I have added the rules to LnS, but when I edit the rules and return to that rule, the edits are back to where I started with no change to the rules. I'm doing something wrong, but don't know how to correct that. How can I keep the imported rules from reverting back to before I edited it?

    I get a pop-up from LnS stating that "2 rules with the same reference" has been found. I'm assuming this is due to my making a copy of the MAC ARP-Antispoofing rule to use for the gateway, and the rule reverts back to its original form due to my not knowing how to properly edit the rules.

    I have version 2.03 of the raw rule plugin, but don't see how it's used other than to assume that it is automatic when opening a raw rule.

    Thanks for any help anyone can offer.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The rule reference is stored in the rule options.

    For ARP SPF rules, look in the "SPF options IPV4"



    ref.jpg

    Change the ref number to one not being used. You will also need to change the ref number for the return/reply packet rule, which you will find in the same options in that rule.

    resp ref.jpg


    - Stem
     
  5. daniel952

    daniel952 Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    71
    Stem,

    Thanks for your assistance, but it appears that your illustration does not represent what is seen when editing the ARP-Antispoof rule for MAC and Gateway. If your illustration does represent that rule, I have already had that one in place for years.

    I have entered both my gateway and MAC information with the correct EQUAL and NOT EQUAL values, as well as hexa-byte and decimal-byte values. After placing a check in the box beside 'active' in the upper right pane, then editing the reference number to be unique, all information within the rule disappears when the rule is closed and re-opened. Everything is gone!

    After placing a check in the box beside 'active' in the lower part of the window, then editing the reference number to be unique, all information remains intact. However when I go online, the 2 reference pop-up problem remains.

    After clicking SPF IPV4, should I activate the check box (reference) at the top of the rule window or at the bottom? I find that confusing because I don't understand the reasoning behind the add and check entry configs.
     
    Last edited: Nov 13, 2010
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The rule shown in my last post is the basic SPF ARP req rule, that was for example of where the ref number is stored as I thought you had conflict of reference numbers.

    For the ARP anti-spoof, there is no reference number, as the rule is simply an inbound filter to make a comparison of the gateway IP with its mac address.
    After you have correctly added the gateway mac/ip into the rule(do not edit the options, leave them blank), make sure you click on "Apply" at bottom right of the Internet filtering window, then click on "save"(or "save as") to save the rule-set.

    Sorry for any confusion I may of caused.

    - Stem
     
  7. daniel952

    daniel952 Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    71
    Thanks. I know understand that it was my misunderstanding how to edit the rule that caused my further confusion. I created a second rule because I was under the impression that two rules were needed.. one for the gateway, and another for the MAC. I now recognize that the drop-down box under hex and decimal allow the edition of separate values.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You use the "field" 2 and 3 to enter the mac/ip, there are instructions on the thread I linked to, it is this post.

    The raw rules are a little confusing at first, but IMHO are worth learning.



    - Stem
     
Thread Status:
Not open for further replies.