> Hmm I'm not sure I understand what you're saying here. > > Consider the following packets, all sent from "ext" to "int": > (or "dmz" to "int" ... any case of "less trusted" -> "more trusted") > 0000:1111:1111->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5 > 0000:1111:1112->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5 > 0000:1111:1113->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5 > 0000:1111:1114->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5 > 0000:1111:1115->ffff:ffff:ffff arp query 195.11.22.1->195.11.22.5 > > (Assuming that 195.11.22.1 is a valid host on the outside of the > firewall, and that 195.11.22.5 lives on the inside). > > Are you saying that there is an easy way of keeping internal switches > from learning about the MAC addresses 0000:1111:111[1-5]?
The firewall should not accept a host claiming to have multiple MAC's. You might allow the first instance to exist and ignore the others? _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
