out going ARP

Printable View

September 14th, 2002, 04:26 AM
black_death

out going ARP

My firewall alerts every time i log on to my ISP with this message:
Warning : outgoing ARP source:0.0.0.0
what that suppose to mean?
September 17th, 2002, 11:33 PM
t2k2

Hey black, can you give some more information so we may be able to help you more. What firewall are you using and what's the configuration?

thanks
September 19th, 2002, 08:59 PM
black_death

firewall

-----------------------------------------------------------------------------------------------------------------------
i use macafee's firewall and a port checker that checks for any open ports on the system,the
firewall can log any attacks on arp,icmp,rip,pptp,.... i have set it to filter all trafic,allowed all arp
packets cause if i stop all arp packets i can not connect any where.
i also use eeye's iris for sniffin packets(the guard thing shows arp attack)
------------------------------------------------------------------------------------------------------------------------
September 19th, 2002, 09:07 PM
shkuey

ARP (Address Resolution Protocol) is used to map your MAC address to your IP address, an arp packet will not travel between routers. The reason you can connect to nothing if you block all ARP requests is nobody can find you to open a connection.
September 19th, 2002, 09:30 PM
nebulus200

As Shkuey has said ARP provides a method for converting or mapping IP addresses to MAC addresses (if you are not sure about why you would have to do this, read up on the OSI model and encapsulation). Whenever the IP layer figures out that it is on the destination is on the same network as the current device, it will send out a broadcast ARP request to everything on that network. If you were to look at a sniffing session of this traffic, it would essentially look like: whois <destination ip address>, ? Since it is a broadcast, all computers without that IP address would not respond to the broadcast, if the machine with the IP address is up and connected to the network, it will respond with its MAC or physical address. The two devices will then be able to communicate on the physical layer (independent of IP). Firewalls will often shorthand a broadcast (sent to everyone) as 0.0.0.0.

What is probably happening is that your computer is trying to find the MAC address of your default router and is issuing the ARP broadcast out to the network you are on to figure this out. If everything functions normally, the router will answer with its MAC and then you will be able to get out to the internet.

Hope this helps explain it a little better,

Nebulus
September 21st, 2002, 09:55 AM
S3C

Your system may have a firewall that prevents GRE transmission. The GRE-to-PPP gateway sends the packets, but they are dropped by the packet filter before being transferred to the interface.

I dont know how to fix this if you are on windows

on linux or bsd you can add the following

You will have to check your firewall rules, remove or add replacements, and try again. The following iptables rules may be added to allow GRE through eth0. Change eth0 to the name of the interface if needed

iptables --insert OUTPUT 1 \
--source 0.0.0.0/0.0.0.0 \
--destination 0.0.0.0/0.0.0.0 \
--jump ACCEPT --protocol gre \
--out-interface eth0

iptables --insert INPUT 1 \
--source 0.0.0.0/0.0.0.0 \
--destination 0.0.0.0/0.0.0.0 \
--jump ACCEPT --protocol gre \
--in-interface eth0

These rules can be refined further to constrain the GRE traffic.

S3C
www.sec-net.tk