[Dshield] Unexpected ARP traffic on my internal network

Tony Maro tonym at nlisc.com
Wed Oct 24 13:19:51 GMT 2001


Kevin,

What you MIGHT be seing (and I'm not an expert on Verizon cable) is traffic
generated unknowingly by someone else on your cable line/subnet.  If the
modem's don't filter this traffic automatically you could get some odd
packets.  Filtering everything with a private address scheme that tries to
come in the external would be a good idea, and I do this myself, however I
only see traffic there once in a blue moon.

I wouldn't drop _ALL_ ICMP packets as Pieter-Bas suggests.  You probably
want to be able to do traceroutes and the like and know when you get a
destination unreachable.  

Here's my ICMP rules.  I know they're IPTABLES, and not Barricade setups,
but maybe you can glean some info.  I gave up on all those silly firewall
config tools and wrote my own firewall script.  Early on in the script it
automatically sends all ICMP traffic to the myicmp chain which is below:

#####################
# ICMP RULEZ!
#
# My Telocity modem must be able to ping me for status updates...
$IPTABLES -A myicmp -p ICMP --icmp-type 8 -s $mymodem -j ACCEPT
#
# I don't log ping requests -> too many of 'em
$IPTABLES -A myicmp -p ICMP --icmp-type 8 -j DROP
#
# drop ICMP timestamp request packets
$IPTABLES -A myicmp -p ICMP --icmp-type 13 -j DROP
$IPTABLES -A myicmp -p ICMP --icmp-type 14 -j DROP
#
# Allow all other ICMP traffic to the server
# (okay it's not block all, allow some, but I think for ICMP it's just as
good)
$IPTABLES -A myicmp -d $myadsl -j ACCEPT
#
# Log and drop any ICMP to other addresses in my external subnet of 4 IP's
$IPTABLES -A myicmp -j LOG --log-prefix "FIREWALL: DEST=BROADCAST IP:"
$IPTABLES -A myicmp -j DROP
#
####################

-----Original Message-----
From: Pieter-Bas IJdens [mailto:pbijdens at emea.mi4.org.uk] 
Subject: Re: [Dshield] Unexpected ARP traffic on my internal network


Also, if you worry about kiddies, you may consider simply dropping all ICMP
packets. That way your host appears down for the scanners [the number of
attacks on my home network decreased rapidly after I decided to do this].




More information about the list mailing list