Adrian Mak
2007-Aug-06 22:57 UTC
how do I use shorewall to protect server from ARP spoofing attack ?
My firewall is using shorewall 3.0.x and CentOS Recently, I found that firewall is attaching from ARP spoofing.. There are a lot of "out of socket memory" in messages log ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep
2007-Aug-07 14:18 UTC
Re: how do I use shorewall to protect server from ARP spoofing attack ?
Adrian Mak wrote:> My firewall is using shorewall 3.0.x and CentOS > Recently, I found that firewall is attaching from ARP spoofing.. > There are a lot of "out of socket memory" in messages logShorewall has no capability to filter ARP frames. That must be done using the ''arpfilter'' utility. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Andrew Suffield
2007-Aug-07 18:03 UTC
Re: how do I use shorewall to protect server from ARP spoofing attack ?
On Tue, Aug 07, 2007 at 07:18:34AM -0700, Tom Eastep wrote:> Adrian Mak wrote: > > My firewall is using shorewall 3.0.x and CentOS > > Recently, I found that firewall is attaching from ARP spoofing.. > > There are a lot of "out of socket memory" in messages log > > Shorewall has no capability to filter ARP frames. That must be done using > the ''arpfilter'' utility.Not that it''s likely to help you much, as it''s impossible for the receiving host to tell which ARP packets are spoofed. ARP always originates on the local network, so look at which interface it is coming from, follow the wire, find the person responsible and hit them repeatedly until they stop. It may be an out-of-control zeroconf device or something trying to use RARP and failing. Printers are common offenders, as their network stacks universally suck. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Cristian Rodriguez R.
2007-Aug-09 04:14 UTC
Re: how do I use shorewall to protect server from ARP spoofing attack ?
Adrian Mak escribió:> There are a lot of "out of socket memory" in messages logThis message can be caused by other things, what makes you think that your are being victim of an (intentional) attack ?? ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/