From owner-freebsd-questions@FreeBSD.ORG  Sun Sep  7 22:23:31 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AF69D16A4BF
	for <freebsd-questions@freebsd.org>;
	Sun,  7 Sep 2003 22:23:31 -0700 (PDT)
Received: from pgh.nepinc.com (pgh.nepinc.com [66.207.129.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A796A43F85
	for <freebsd-questions@freebsd.org>;
	Sun,  7 Sep 2003 22:23:30 -0700 (PDT)
	(envelope-from durham@jcdurham.com)
Received: from jimslaptop.home.jcdurham.com (18.gibs5.xdsl.nauticom.net
	[209.195.184.19])	(authenticated)
	by pgh.nepinc.com (8.11.4/8.11.3) with ESMTP id h885MW650770
	for <freebsd-questions@freebsd.org>;
	Mon, 8 Sep 2003 01:22:33 -0400 (EDT)
	(envelope-from durham@jcdurham.com)
From: Jim Durham <durham@jcdurham.com>
Organization: JC Durham Consulting
To: freebsd-questions@freebsd.org
Date: Mon, 8 Sep 2003 01:23:22 -0400
User-Agent: KMail/1.5.3
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200309080123.22883.durham@jcdurham.com>
Subject: Worms/FreeBSD servers/Windows clients
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: durham@jcdurham.com
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2003 05:23:31 -0000

After dealing with one of those idiotic worms on our LAN with FreeBSD 
servers and Windows workstations, I realized that we don't do much 
peer-to-peer sharing on our LAN and connections from workstation to 
workstation could be eliminated with only a slight loss in 
convenience, as files are usually shared on the Samba server.

However, blocking Windows-to-Windows commmunications would stop the 
spread of these silly Microsoft worms.

One expensive way to do this is with Layer 3 switches. This would be 
really cost-prohibitive for a small company.

I was wondering if anyone had any ideas on modifying or "inhibiting" 
ARP so that it would not give out the MAC addresses of any of the 
machines on the LAN to another machine on the LAN, except the address 
of the FreeBSD servers, which are worm-immune.

I realize that ARP would have to be defeated on the Windows machines 
in order for this to work.

I've also considered double NAT-ing the workstations and then limiting 
the ports on my layer 2 switches to kill the "learn" function and 
only accept one MAC on a port. Transient users and wireless users 
would then be on the "outside" side of the 2nd NAT. I find that these 
users are the ones that bring in the worms when coming back from a 
road trip where they were plugged into who-knows-what networks.
-- 
-Jim