[Snort-users] ARP

Matt Kettler mkettler at ...4108...
Wed Sep 11 09:06:03 EDT 2002

Of course, this rule won't block the ARP packets... ARP packets aren't 
routable, thus must be originating in your ethernet broadcast domain.

I'm guessing that you have a PIX firewall, or other firewall with the 
"proxy arp" feature, and a host machine on the inside which is configured 
for a netmask of /0. I bet you'll find the returned MAC address will be the 
router interface. Proxy-arp firewalls will answer arps for anything they 
have a route to that is not within the subnet of that interface. This winds 
up "fixing" hosts which don't have a proper gateway set, by catching when 
they ARP for IP's outside the local net and generating a reply based on 
routing tables.

I'm not a big fan of the feature myself.. I tend to feel broken hosts 
should remain broken until they have a gateway set.

At 08:52 AM 9/11/2002 -0400, McCammon, Keith wrote:
>[OT, but...]
> > Secondly Can i block this ip address using router...
>access-list 110 deny ip any log
>access-list 110 permit ip any any
>Insert standard disclaimers.  Apply to interface(s) as needed using:
>ip access-group 110 in|out
>In remembrance
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list