Jump to content


Questions after "hitting" Eddie's lock on a debian computer

  • Please log in to reply
1 reply to this topic

#1 iwih2gk


    Advanced Member

  • Members
  • PipPipPip
  • 268 posts

Posted 16 February 2017 - 11:00 PM

I have been helping a family member setup Air on his machine.  He bought a year sub after I bragged about how good you guys are, so there, I am contributing to the cause.  LOL!


I personally write my own IP table stuff for my firewall but I don't want to deal with issues on this guy's computer in that regard.  Therefore I wanted to run conventional Eddie and its Lock feature.  We did setup Debian for surfing around and its great.


Now to my questions.  After connecting on Jessie and with Eddie and the Lock engaged I decided to see just how secure his machine is against his own LAN.  We unticked/unchecked the LAN tab in the preferences of the client.  Here are my observations.  I ran a script I wrote on his desktop (I write executable scripts alot because then I can one click and run things I want to use without multiple lines and terminals).  So I pounded against Eddie using a terminal: sudo arp -a && Nmap of the LAN IP/24.  The Nmap results are exactly as I would have hoped, because the report only shows the computer he is running Nmap on.  The other 4 devices, which were currently connected to the network LAN, and were active, did not even get seen due to the effectiveness of Eddie's Lock.  So far, great.  Where the arp part of the script is concerned I mostly saw ONLY the router/LAN IP (device IP number on LAN).  No other devices, not even the exact computer where I ran the arp command.  I have noticed that when running arp the computer being used doesn't seem to ever come back in the report/printout.  I get the same result on his computer when I drop the Eddie client and then run arp -a.  By same result I mean regarding the computer running the terminal.  With Eddie down, all other devices obviously show up in the report on the terminal, as do all devices in Nmap in that instance.


This post may be more an arp question than an Eddie Lock question.  If I continue to run this script (say 10 times) with Eddie and the Lock up, the arp report will on occasion pop up all the devices on his network.  Hmmmmm?  Nmap never fails and only shows the computer and no other devices, not even the router/LAN IP.


Assuming I start his computer fresh and then mount Eddie + Lock I see this:  Nmap - only the computer's device IP on the LAN and nothing else.  Arp - I see the router/LAN IP and nothing else.  Therefore I applaud Eddie for holding up against inside pounding against the LAN device I am testing it against.


ARP learning question.  Does repeated pounding against Eddie from the inside somehow crash something?  I never see an arp failure against the Eddie client unless I sit there and repeatedly run that terminal over and over.  Any way to diagnose this any further?


To clarify.  I am totally happy with how great Eddie is at isolating a machine from a LAN if you ask it to.  Good job at LAN isolation when desired.

#2 zhang888


    Donald Trump of IT/Security

  • Moderators
  • 2195 posts

Posted 16 February 2017 - 11:19 PM

The network lock feature works on Layer 3 and above, since naturally you cannot filter ARP requests because Eddie never knows the router's MAC and IP binding.

Not sure what your script is doing, but a simple tcpdump or Wireshark (in promisc mode if on WiFi) on the same LAN will show you all the devices on the network.

Allow LAN/Private means allowing actual traffic exchange with them, ARP traffic is not considered as such because it does not carry any data except the basic MAC<>IP in it.

This is not really a scope of Eddie and it is how ARP works, so what you might see are the "who has" broadcasts from other devices every once in a while.

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Similar Topics Collapse

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 14410 - BW: 50068 Mbit/sYour IP: Access.