Snort mailing list archives
RE: ARP
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 11 Sep 2002 12:05:37 -0400
Of course, this rule won't block the ARP packets... ARP packets aren't routable, thus must be originating in your ethernet broadcast domain.
I'm guessing that you have a PIX firewall, or other firewall with the "proxy arp" feature, and a host machine on the inside which is configured for a netmask of /0. I bet you'll find the returned MAC address will be the router interface. Proxy-arp firewalls will answer arps for anything they have a route to that is not within the subnet of that interface. This winds up "fixing" hosts which don't have a proper gateway set, by catching when they ARP for IP's outside the local net and generating a reply based on routing tables.
I'm not a big fan of the feature myself.. I tend to feel broken hosts should remain broken until they have a gateway set.
At 08:52 AM 9/11/2002 -0400, McCammon, Keith wrote:
[OT, but...] > Secondly Can i block this ip address using router... access-list 110 deny ip 204.141.0.0 0.0.255.255 any log access-list 110 permit ip any any Insert standard disclaimers. Apply to interface(s) as needed using: ip access-group 110 in|out ------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------- In remembrance www.osdn.com/911/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users