View previous topic :: View next topic |
Author |
Message |
CowboyNeal n00b
Joined: 16 May 2002 Posts: 44 Location: The Netherlands
|
Posted: Wed Sep 25, 2002 8:52 pm Post subject: Allowing ARP traffic with iptables |
|
|
L.S.,
iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp? |
|
Back to top |
|
|
de4d Apprentice
Joined: 12 Sep 2002 Posts: 181 Location: fr. i. br. (ger)
|
Posted: Wed Sep 25, 2002 9:28 pm Post subject: |
|
|
imho arp (adress resolution protocol) is managed by the nic itself. so no arp packets are spawned by the operating system (and no arp packets are sent to o/s), and theres no need to firewall them in anyway.
arp is more like 'tunneling' ur ip packets
this may be (terribly) wrong - correct me if ne1 knows better. _________________ void main(){fork();main();} |
|
Back to top |
|
|
CowboyNeal n00b
Joined: 16 May 2002 Posts: 44 Location: The Netherlands
|
Posted: Sun Sep 29, 2002 12:37 am Post subject: |
|
|
de4d wrote: | imho arp (adress resolution protocol) is managed by the nic itself. so no arp packets are spawned by the operating system (and no arp packets are sent to o/s), and theres no need to firewall them in anyway.
arp is more like 'tunneling' ur ip packets
this may be (terribly) wrong - correct me if ne1 knows better. |
If that would be the case: why does /etc/ethers and arp (including arp -s <static ip> <static mac> for binding an ip to a mac) exists? I think you mistake arp with ethernet frames, those encapsulate your ip-packet and add a mac address (your nic filters on your mac, so a 100 mbit/s network would fload your cpu). |
|
Back to top |
|
|
splooge l33t
Joined: 30 Aug 2002 Posts: 636
|
Posted: Sun Sep 29, 2002 12:30 pm Post subject: |
|
|
Arp is a layer 2 protocol, it's enabled by default, and has nothing to do with iptables. If you can ping your router or another workstation on your network, arp is working. |
|
Back to top |
|
|
TuxFriend Apprentice
Joined: 14 Aug 2002 Posts: 151
|
Posted: Sun Sep 29, 2002 4:45 pm Post subject: Re: Allowing ARP traffic with iptables |
|
|
CowboyNeal wrote: | L.S.,
iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp? |
ARP is used for binding a MAC-address to an IP-address. ARP is on a lower layer then IP and TCP, UDP and ICMP are above the IP-layer. By default all ARP-traffic is allowed and will be passed to the IP-layer, if you want to change this behaviour then you need to use ebtables. It's in a development kernel (>=2.5.37) or you can find ebtables on http://users.pandora.be/bart.de.schuymer/ebtables
TuxFriend |
|
Back to top |
|
|
CowboyNeal n00b
Joined: 16 May 2002 Posts: 44 Location: The Netherlands
|
Posted: Wed Oct 02, 2002 10:01 pm Post subject: Re: Allowing ARP traffic with iptables |
|
|
TuxFriend wrote: | CowboyNeal wrote: | L.S.,
iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp? |
ARP is used for binding a MAC-address to an IP-address. ARP is on a lower layer then IP and TCP, UDP and ICMP are above the IP-layer. By default all ARP-traffic is allowed and will be passed to the IP-layer, if you want to change this behaviour then you need to use ebtables. It's in a development kernel (>=2.5.37) or you can find ebtables on http://users.pandora.be/bart.de.schuymer/ebtables
TuxFriend |
I know how ARP is related to ip . The reason I asked this, is because I _am_ able to filter 'gre' (packet tunneling to my adsl-modem) and as I understand, GRE is not IP.
Futhermore, one can do nasty tricks with ARP (man-in-the-middle-attack), should be in iptables! (MAC source filtering is included in iptables, and MAC is, as you said, below IP) |
|
Back to top |
|
|
Zu` l33t
Joined: 26 May 2002 Posts: 716 Location: BE
|
Posted: Wed Oct 02, 2002 11:03 pm Post subject: Re: Allowing ARP traffic with iptables |
|
|
CowboyNeal wrote: |
Futhermore, one can do nasty tricks with ARP (man-in-the-middle-attack), should be in iptables! (MAC source filtering is included in iptables, and MAC is, as you said, below IP) |
Perhaps this can help a bit. Quoted from here.
Quote: |
The most easiest way to prevent ARP poisoning at workstations and server with Open Source Operating Systems is to M-lock the ARP
cache line by line. This means when the ARP table has an valid entry like this:
212.187.0.1 ether 00:30:7B:94:31:C8 C eth0
You can lock this entry by typing: "arp -v -i eth0 -s 212.187.0.1 00:30:7B:94:31:C8" (without quotes)
Check the ARP cache again by typing "arp -nv -i eth0", the output will be:
212.187.0.1 ether 00:30:7B:94:31:C8 CM eth0
See the difference?
As long as you won't unlock the ARP cache, restart the eth devices or reboot the system, nobody can refresh the entry above.
Another way would be installing a (level 2!!) firewall at the workstation, but the only difference between this and my way (above) will
be the price. The firewall will exactly do the same, it's not making your system any more invulnerable or whatsoever!
|
If you find more useful info about this subject, please post in this thread. I find this quite interesting.
Greets |
|
Back to top |
|
|
CowboyNeal n00b
Joined: 16 May 2002 Posts: 44 Location: The Netherlands
|
Posted: Thu Oct 03, 2002 10:13 am Post subject: Re: Allowing ARP traffic with iptables |
|
|
Zu` wrote: |
If you find more useful info about this subject, please post in this thread. I find this quite interesting.
Greets |
I found ettercap a very nice tool to play around on your own lan (ok, so I used it on a LAN-party but those people don't mind, right ) |
|
Back to top |
|
|
|