Yes, seems like their ARP Proxy cache timeout is set really long. I wonder what would happen if I do a "-j REJECT --reset-with icmp-host-unreachable" on this particular FORWARD traffic. Would it remove the false entry in the ARP cache on the gateway?
I doubt. But you might try. Anyhow, even if you try, also use limit match. Otherwise somebody might abuse you for DDOS attack.
Not so sure there. It's mostly MS-Windows TCP 445 connections I drop in the FORWARD chain, similar to the traffic I drop in the INPUT chain (which could be worms). I think worms prefer to really enter the box instead of trying to get rerouted in my FORWARD chain.
Worms are not attacking your box specifically. They are just trying out random addresses.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
