After dealing with one of those idiotic worms on our LAN with FreeBSD servers and Windows workstations, I realized that we don't do much peer-to-peer sharing on our LAN and connections from workstation to workstation could be eliminated with only a slight loss in convenience, as files are usually shared on the Samba server.
However, blocking Windows-to-Windows commmunications would stop the spread of these silly Microsoft worms. One expensive way to do this is with Layer 3 switches. This would be really cost-prohibitive for a small company. I was wondering if anyone had any ideas on modifying or "inhibiting" ARP so that it would not give out the MAC addresses of any of the machines on the LAN to another machine on the LAN, except the address of the FreeBSD servers, which are worm-immune. I realize that ARP would have to be defeated on the Windows machines in order for this to work. I've also considered double NAT-ing the workstations and then limiting the ports on my layer 2 switches to kill the "learn" function and only accept one MAC on a port. Transient users and wireless users would then be on the "outside" side of the 2nd NAT. I find that these users are the ones that bring in the worms when coming back from a road trip where they were plugged into who-knows-what networks. -- -Jim _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"