[Dshield] Unexpected ARP traffic on my internal network

Tony Maro tonym at nlisc.com
Wed Oct 24 16:12:21 GMT 2001


Ugh - my carriage returns all went away.  That's strange.  Well if you want
the script, e-mail me and I'll reciprocate.

-----Original Message-----
From: Tony Maro [mailto:tonym at nlisc.com] 
Sent: Wednesday, October 24, 2001 8:20 AM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] Unexpected ARP traffic on my internal network


Kevin,

What you MIGHT be seing (and I'm not an expert on Verizon cable) is traffic
generated unknowingly by someone else on your cable line/subnet.  If the
modem's don't filter this traffic automatically you could get some odd
packets.  Filtering everything with a private address scheme that tries to
come in the external would be a good idea, and I do this myself, however I
only see traffic there once in a blue moon.

I wouldn't drop _ALL_ ICMP packets as Pieter-Bas suggests.  You probably
want to be able to do traceroutes and the like and know when you get a
destination unreachable.  

Here's my ICMP rules.  I know they're IPTABLES, and not Barricade setups,
but maybe you can glean some info.  I gave up on all those silly firewall
config tools and wrote my own firewall script.  Early on in the script it
automatically sends all ICMP traffic to the myicmp chain which is below:

#####################
# ICMP RULEZ!
#
# My Telocity modem must be able to ping me for status updates... $IPTABLES
-A myicmp -p ICMP --icmp-type 8 -s $mymodem -j ACCEPT # # I don't log ping
requests -> too many of 'em $IPTABLES -A myicmp -p ICMP --icmp-type 8 -j
DROP # # drop ICMP timestamp request packets $IPTABLES -A myicmp -p ICMP
--icmp-type 13 -j DROP $IPTABLES -A myicmp -p ICMP --icmp-type 14 -j DROP #
# Allow all other ICMP traffic to the server # (okay it's not block all,
allow some, but I think for ICMP it's just as
good)
$IPTABLES -A myicmp -d $myadsl -j ACCEPT
#
# Log and drop any ICMP to other addresses in my external subnet of 4 IP's
$IPTABLES -A myicmp -j LOG --log-prefix "FIREWALL: DEST=BROADCAST IP:"
$IPTABLES -A myicmp -j DROP # ####################




More information about the list mailing list