[Snort-users] ARP

Matt Kettler mkettler at ...4108...
Wed Sep 11 09:06:03 EDT 2002


Of course, this rule won't block the ARP packets... ARP packets aren't 
routable, thus must be originating in your ethernet broadcast domain.

I'm guessing that you have a PIX firewall, or other firewall with the 
"proxy arp" feature, and a host machine on the inside which is configured 
for a netmask of /0. I bet you'll find the returned MAC address will be the 
router interface. Proxy-arp firewalls will answer arps for anything they 
have a route to that is not within the subnet of that interface. This winds 
up "fixing" hosts which don't have a proper gateway set, by catching when 
they ARP for IP's outside the local net and generating a reply based on 
routing tables.

I'm not a big fan of the feature myself.. I tend to feel broken hosts 
should remain broken until they have a gateway set.

At 08:52 AM 9/11/2002 -0400, McCammon, Keith wrote:
>[OT, but...]
>
> > Secondly Can i block this ip address using router...
>
>access-list 110 deny ip 204.141.0.0 0.0.255.255 any log
>access-list 110 permit ip any any
>
>Insert standard disclaimers.  Apply to interface(s) as needed using:
>
>ip access-group 110 in|out
>
>
>-------------------------------------------------------
>In remembrance
>www.osdn.com/911/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list





More information about the Snort-users mailing list