[ previous ] [ next ] [ threads ]
 From:  "Mohammed Ismail" <m dot ismael at gmail dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
 Date:  Fri, 1 May 2009 05:36:32 +0300
So it is layer 2, then we need layer2 in m0n0wall 
What about broadcasting himself ?
Tells every body that m0n0wall is on MAC IP every 1 sec,
Like spoofing client's arp table each second,, 
How about this? Some how it helps clients to stay connected to m0n0wall
instead of attacker,
And having static ARP table in m0n0wall protect m0n0wall it self.
I put arp.txt contain a list of MAC IP Pairs
And tell m0n0wall to execute 
Arp -f /var/db/cpelements/arp.txt
The problem is we cannot afford switches capable of layer2 filtering,
And there must be other solution, and it could be done with FreeBSD, I just
do not know how exactly, but I guess it will be set of rules
1- static ARP table
2- assign /32 subnetmask for clients 
3- spoof network with m0n0wall real MAC IP pair every x sec
And notice that not only netcut and spoofing there are also worms that arp
poison the network, and such worms uses client IP table so if the client is
isolated in his own subnetmask is not that enough?
Sorry for being annoying but it had been annoying me since a while,
Best Regards.


-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Thursday, April 30, 2009 10:37 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)

On Thu, Apr 30, 2009 at 5:22 PM, Mohammed Ismail <m dot ismael at gmail dot com> wrote:
> With Special requirements in DHCP server which FreeBSD provides,
> And the secondary IP option, IPfilter.
> if you assigned to a client with Default Gateway
> and block all traffic to except DHCP and DNS, ICMP 8 and 11 to
> Ping and trace route working
> this client will only see and talk with only.

No. ARP is layer 2, and unless you segregate the network into multiple
broadcast domains, or implement other controls on your switches,
you're doing nothing to prevent or limit ARP poisoning. It makes no
difference what IP or subnet you're using, if I'm on the same
broadcast domain as you and your switch doesn't prevent it, I can ARP
poison you.

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch