(This firewall is divided into a kernel-mode part (kernel-model) and a user-mode part (user-model). The kernel mode part works on the intermediate layer (IntermediateDriver) defined by NDIS. The intermediate layer driver is located between the miniport layer (MiniportDriver) and the protocol layer (ProtocolDriver). When the machine is infected with ARP Trojan and sends out ARP attacks, the ARP firewall will intercept these attack packets, which basically prevents ARP spoofing packets from running rampant in the LAN. The user mode part uses Winpcap to monitor the packets sent by the machine and the broadcast packets in the local area network, and prompt the user in time.)