[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
 Date:  Thu, 30 Apr 2009 16:36:49 -0400
On Thu, Apr 30, 2009 at 5:22 PM, Mohammed Ismail <m dot ismael at gmail dot com> wrote:
>
> With Special requirements in DHCP server which FreeBSD provides,
> And the secondary IP option, IPfilter.
> if you assigned to a client 10.10.10.30/32 with Default Gateway 1.1.1.1
> and block all traffic to 10.0.0.1 except DHCP and DNS, ICMP 8 and 11 to have
> Ping and trace route working
> this client will only see and talk with 1.1.1.1 only.
>

No. ARP is layer 2, and unless you segregate the network into multiple
broadcast domains, or implement other controls on your switches,
you're doing nothing to prevent or limit ARP poisoning. It makes no
difference what IP or subnet you're using, if I'm on the same
broadcast domain as you and your switch doesn't prevent it, I can ARP
poison you.