"Schouten, Diederik (Diederik)" wrote:
>
> The firewall should not accept a host claiming to have
> multiple MAC's. You might allow the first instance to exist
> and ignore the others?
Hrm okay.. Valid point. Some routing firewalls don't allow "wild"
ARP changes either. (Although stuff like the linux ARP code [1]
won't help you here if you're using an IP address that doesn't respond
to ARP queries.) This one then:
Assume IP packets to 195.11.22.5, port 80, which is allowed
by the ruleset.
Now, we can either alter the IP, or keep it static. Multiple routers
outside the firewall would cause the sender MAC to change all the time,
so you can't assume (at least not by default) that the sender MAC
won't change in communication at this layer.
OR: for the sake of argument: assume that the network on the less
trusted side of the firewall has a fairly large mask, like a /16 one.
65K MAC<>port mappings is a lot more than 99% of the switches out
there can handle. Tables capable of handling only 1000-4000 mappings is
fairly common, as far as I know, unless you start talking about big-ass
switches that you'll only have one or two of anyway, mixed with smaller
ones for the "branches".
(Yes, I'm an argumentative s-o-b. I know. :))
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
[1] The linux ARP implementation semi-protects against wild ARP
spoofing by sending a query to the previous owner of an IP and
waiting a short period of time before allowing a change. However,
unless I'm mistaken, these are sent as unicasts, so are still
susceptible to unicast rerouting in switches. And won't ever help
one bit if the IP in question doesn't answer ARP queries, i.e. it
is an unused IP. But that's OT to this particular discussion.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
