From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 13 11:50:34 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C5E916A402 for ; Thu, 13 Apr 2006 11:50:34 +0000 (UTC) (envelope-from hunreal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1473D43D5A for ; Thu, 13 Apr 2006 11:50:29 +0000 (GMT) (envelope-from hunreal@gmail.com) Received: by wproxy.gmail.com with SMTP id i7so75675wra for ; Thu, 13 Apr 2006 04:50:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=dP4QSccZVk9U/g138oRa0G+1MPYJHBGWi61cXUejHISkhnE2XsihBOZLz0K5cHFk+HRdVNhQFi2XH769uIZ2riqVHoXsVEmeZMvKaMN3477gg4ZJArK4s1xVATgwr6wVKVSpipPeU/sDAwmn1OmpJVAEiaptwf5jrEtTLeu430k= Received: by 10.54.98.14 with SMTP id v14mr353522wrb; Thu, 13 Apr 2006 04:42:40 -0700 (PDT) Received: by 10.54.96.8 with HTTP; Thu, 13 Apr 2006 04:44:09 -0700 (PDT) Message-ID: <9b6b59500604130444q3e4032cai907919aa77780c52@mail.gmail.com> Date: Thu, 13 Apr 2006 19:44:09 +0800 From: hshh To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Still ARP Spoof question. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2006 11:50:34 -0000 I have some FreeBSD box, include 4.11, 6.0, 6.1-PRERELEASE. They are in the same network, and all compiled with IPFW2 support. In that network, there are another server, and not mine. I can't control them either. One day, maybe one computer was hacked, and sent my server by fake ARP packet. That's ARP Spoof, but it make a fake gateway to attack my server. dmesg can show this message like: arp: x.x.x.254 moved from 00:02:b3:52:5d:25 to 02:e0:52:14:37:4a on fxp0 x.x.x.254 is gateway of that network, and 02:e0:52:14:37:4a is MAC of real gateway. 00:02:b3:52:5d:25 is fake MAC, 00:11:22:33:44:55 was seen too. I tried to use ``arp -S x.x.x.254 02:e0:52:14:37:4a'', and not work. After some seconds, my server can't communication with gateway. I tried to use ipfw2 to deny these packet, ``deny ip from any to any MAC an= y 00:02:b3:52:5d:25 layer2'', not work either. Although I tune ``net.link.ether.ipfw'' from 0 to 1, still not work. What can I do? I can't touch the switch, can't touch the gateway either. An= y good idea to help me?