[ previous ] [ next ] [ threads ]
 From:  "Mohammed Ismail" <m dot ismael at gmail dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)
 Date:  Fri, 1 May 2009 07:37:30 +0300
I used to have all MAC address in ARP table the same 
I used wireshark I saw those ARP packets poisoning every thing 
Then I started using DHCP server and collect a table of all clients
connected to the m0n0wall.
After that I had arp.txt file uploaded in file manager 
And in config.xml a command to be executed in every startup to have arp.txt
as Static ARP table 
After that the logging changed 
It tells me that kernel : arp : MAC address attempts to modify permanent
entry for x.x.x.x 00:00:00:00:00:00 
It gives me the spoofer Mac address
Now I could look up the MAC in my DHCP static lease to know the Spoofer, but
the spoofer could change his MAC every minute :) and uses fake one so I
could not catch him unless I started unplugging cables which is near
impossible because of switching, it is like 20 switches in 20 different
100 client network sharing 2Mb/s ADSL 1/4 Line each have 256/64 kb/s down/up
speed and using 1.3b13 working smoothly. 
Only ARP thing
After static ARP the server is protected, but clients are not.
That's all.

Sincere regards 
Mohammed Ismail. 
-----Original Message-----
From: Steve Bertrand [mailto:steve at ibctech dot ca] 
Sent: Friday, May 01, 2009 7:18 AM
To: Mohammed Ismail
Cc: 'Lee Sharp'; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Anti netcut (was Re: [m0n0wall] m0n0wall 1.3b17)

Mohammed Ismail wrote:
> You miss the point they do it on regular Switched Ethernet 
> Just the cheapest switches, and clients are not seeing each other.
> I really cannot change from m0n0wall, I am already using it for more than
> years, and my clients are satisfied with fascinating easy web interface,

Do all of your users connect with Ethernet cable, like this?:

	| m0n0wall|
	| switch  |
	 |    |   |
	/     |    \
	|     |	    |
      client  |	  client

> I might migrate to pfsense, but nothing really much there, I look to
> m0n0wall as the slandered for me all what I need is in one small image,
> In other way, I believe there will be a solution or semi-solution on
> m0n0wall.

You don't want users to get the default gateway, if they are not
allowed. Is that right?

Is that all you want to stop from happening?