Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Dec 2001 23:17:35 +0700
From:      Eugene Grosbein <eugen@grosbein.pp.ru>
To:        "Crist J . Clark" <cjc@FreeBSD.ORG>
Cc:        security@FreeBSD.ORG, net@FreeBSD.ORG
Subject:   Re: NOARP - gateway must answer and have frozen ARP table
Message-ID:  <20011205231735.A1361@grosbein.pp.ru>
In-Reply-To: <20011205040316.H40864@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Wed, Dec 05, 2001 at 04:03:16AM -0800
References:  <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 05, 2001 at 04:03:16AM -0800, Crist J . Clark wrote:

> > Not sure what is correct list, this is about network security.
> > Flag NOARP did not work for ethernet interface before 4.4-RELEASE.
> > We needed static ARP table so used local patch for it.
> > 4.4-RELEASE implemented NOARP but in the different way.
> See PR 31873.

I have read this PR and other discussions. 
And I want to say that this 'intended' behavour is useless for some
configurations. A machine acting as public gateway must respond 
to ARP requests for its IP. And it often must not allow modifying 
its ARP table. So I'm asking to have another behavour as an option. 
Perhaps, tunable as sysctl.

We use this scheme several years in production, keeping our local patches.
It seems this scheme is used widely, I've seen several different patches
implementing this since 2.2.x. We use one of them.

Eugene Grosbein.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011205231735.A1361>