From owner-freebsd-rc@FreeBSD.ORG Wed Jan 2 19:27:14 2008 Return-Path: Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B82E216A417; Wed, 2 Jan 2008 19:27:14 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 7561913C45B; Wed, 2 Jan 2008 19:27:13 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (unknown [202.108.54.204]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTP id 0CF3428448; Thu, 3 Jan 2008 03:27:11 +0800 (CST) Received: from localhost (unknown [202.108.54.204]) by tarsier.geekcn.org (Postfix) with ESMTP id DF6F3EDADD0; Thu, 3 Jan 2008 03:27:10 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([202.108.54.204]) by localhost (mail.geekcn.org [202.108.54.204]) (amavisd-new, port 10024) with ESMTP id hxP8RNf2e1oR; Thu, 3 Jan 2008 03:27:03 +0800 (CST) Received: from charlie.delphij.net (71.5.7.139.ptr.us.xo.net [71.5.7.139]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 478AEEDADC9; Thu, 3 Jan 2008 03:27:02 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:subject:x-enigmail-version:openpgp:content-type; b=RCy/u6GeAdi/wRe7lhKYJyUU/sK1PDwKgeAXNuoWopkENZQvsDUrgh9DVxwDMhLYd xIYGuNxFm8v3jhe0EwcRg== Message-ID: <477BE583.6080202@delphij.net> Date: Wed, 02 Jan 2008 11:26:59 -0800 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.9 (X11/20071125) MIME-Version: 1.0 To: freebsd-rc@FreeBSD.org, FreeBSD Current X-Enigmail-Version: 0.95.5 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------080003070301000505080207" Cc: Subject: [RFC] rc.d script for binding static arp pairs and logging options X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 19:27:14 -0000 This is a multi-part message in MIME format. --------------080003070301000505080207 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Here is a rc.d script that I use on my own server, which provides two functionalities: - Bind ARP pairs specified in rc.conf (*); - Set ARP logging options (+). * Similar to routing settings, one need to set up some sort of "ARP pairs" like this: static_arp_pairs="gw" arp_gw="172.16.1.1 00:1c:58:6a:7b:49" + By setting one or more of the following options to "NO" it would set appropriate sysctl for arp logging settings to zero to disable logging: log_arp_permanent_modify log_arp_movements log_arp_wrong_iface This script could be useful for those who use FreeBSD in a uncontrollable network (i.e. your network administrator does not care about viruses that attacks the network with fake ARP broadcasts). I wonder whether this script would be useful for general consumption? Other comments are also welcome :-) Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHe+WCi+vbBBjt66ARAvA/AJ9zv5Wtif9DPgDPT89ZOOoueu+w9gCeK3gY 4GEETsKg53j19QLFd3IZKkc= =rLKv -----END PGP SIGNATURE----- --------------080003070301000505080207 Content-Type: text/plain; name="arp" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="arp" #!/bin/sh # # Copyright (c) 2008 Xin LI # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # Configure static ARP table and logging options # # $FreeBSD$ # # PROVIDE: arp # REQUIRE: netif # KEYWORD: nojail . /etc/rc.subr name="arp" start_cmd="arp_start" stop_cmd="arp_stop" extra_commands="options static" static_cmd="static_start" options_cmd="options_start" arp_start() { options_start static_start } arp_stop() { static_stop } options_start() { echo -n 'Additional ARP logging options:' if [ -n ${log_arp_perment_modify} ]; then case ${log_arp_permanent_modify} in [Nn][Oo]) echo -n ' do not' sysctl net.link.ether.inet.log_arp_permanent_modify=0 >/dev/null ;; *) sysctl net.link.ether.inet.log_arp_permanent_modify=1 >/dev/null ;; esac echo -n ' log arp replies from MACs different than the one in the permanent arp entry;' fi if [ -n ${log_arp_movements} ]; then case ${log_arp_movements} in [Nn][Oo]) echo -n ' do not' sysctl net.link.ether.inet.log_arp_movements=0 >/dev/null ;; *) sysctl net.link.ether.inet.log_arp_movements=1 >/dev/null ;; esac echo -n ' log arp replies from MACs different than the one in the cache;' fi if [ -n ${log_arp_wrong_iface} ]; then case ${log_arp_wrong_iface} in [Nn][Oo]) echo -n ' do not' sysctl net.link.ether.inet.log_arp_wrong_iface=0 >/dev/null ;; *) sysctl net.link.ether.inet.log_arp_wrong_iface=1 >/dev/null ;; esac echo -n ' log arp packets arriving on the wrong interface' fi echo '.' } static_start() { if [ -n "${static_arp_pairs}" ]; then echo -n 'Binding static ARP pair:' for e in ${static_arp_pairs}; do echo -n " ${e}" eval arp_args=\$arp_${e} arp -S ${arp_args} >/dev/null 2>&1 done echo '.' fi } static_stop() { if [ -n "${static_arp_pairs}" ]; then echo -n 'Unbinding static ARP pair:' for e in ${static_arp_pairs}; do echo -n " ${e}" eval arp_args=\$arp_${e} arp_args=`echo ${arp_args} | sed -e s,..:..:..:..:..:..,,g` arp -d ${arp_args} >/dev/null 2>&1 done echo '.' fi } load_rc_config $name run_rc_command "$1" --------------080003070301000505080207-- From owner-freebsd-rc@FreeBSD.ORG Wed Jan 2 21:09:15 2008 Return-Path: Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 087DA16A468; Wed, 2 Jan 2008 21:09:15 +0000 (UTC) (envelope-from Hartmut.Brandt@dlr.de) Received: from smtp-3.dlr.de (smtp-3.dlr.de [195.37.61.187]) by mx1.freebsd.org (Postfix) with ESMTP id 9539A13C43E; Wed, 2 Jan 2008 21:09:12 +0000 (UTC) (envelope-from Hartmut.Brandt@dlr.de) Received: from [192.168.2.100] ([172.21.151.2]) by smtp-3.dlr.de with Microsoft SMTPSVC(6.0.3790.1830); Wed, 2 Jan 2008 21:55:55 +0100 Message-ID: <477BFA5C.60602@dlr.de> Date: Wed, 02 Jan 2008 21:55:56 +0100 From: Hartmut Brandt Organization: German Aerospace Center User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: d@delphij.net References: <477BE583.6080202@delphij.net> In-Reply-To: <477BE583.6080202@delphij.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Jan 2008 20:55:55.0480 (UTC) FILETIME=[DE3E3D80:01C84D81] Cc: FreeBSD Current , freebsd-rc@FreeBSD.org Subject: Re: [RFC] rc.d script for binding static arp pairs and logging options X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 21:09:15 -0000 Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Here is a rc.d script that I use on my own server, which provides two > functionalities: > > - Bind ARP pairs specified in rc.conf (*); Not having looked at the actual scripts just a comment: while the ARP and the routing tables are still unified, static arp entries can be done with the normal static_routes rc stuff. As far as I know this is going to change, so your script will be needed sooner or later. The functionality is needed for sure. harti > - Set ARP logging options (+). > > * Similar to routing settings, one need to set up some sort of "ARP > pairs" like this: > > static_arp_pairs="gw" > arp_gw="172.16.1.1 00:1c:58:6a:7b:49" > > + By setting one or more of the following options to "NO" it would set > appropriate sysctl for arp logging settings to zero to disable logging: > > log_arp_permanent_modify > log_arp_movements > log_arp_wrong_iface > > This script could be useful for those who use FreeBSD in a > uncontrollable network (i.e. your network administrator does not care > about viruses that attacks the network with fake ARP broadcasts). > > I wonder whether this script would be useful for general consumption? > Other comments are also welcome :-) > > Cheers, > - -- > Xin LI http://www.delphij.net/ > FreeBSD - The Power to Serve! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.4 (FreeBSD) > > iD8DBQFHe+WCi+vbBBjt66ARAvA/AJ9zv5Wtif9DPgDPT89ZOOoueu+w9gCeK3gY > 4GEETsKg53j19QLFd3IZKkc= > =rLKv > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------ > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From owner-freebsd-rc@FreeBSD.ORG Thu Jan 3 02:12:14 2008 Return-Path: Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A032616A418; Thu, 3 Jan 2008 02:12:14 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 41D7A13C44B; Thu, 3 Jan 2008 02:12:14 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (unknown [202.108.54.204]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTP id 6119A28448; Thu, 3 Jan 2008 10:12:12 +0800 (CST) Received: from localhost (unknown [202.108.54.204]) by tarsier.geekcn.org (Postfix) with ESMTP id 06C75EC4773; Thu, 3 Jan 2008 10:12:12 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([202.108.54.204]) by localhost (mail.geekcn.org [202.108.54.204]) (amavisd-new, port 10024) with ESMTP id g6nYOkLk6aXG; Thu, 3 Jan 2008 10:12:07 +0800 (CST) Received: from charlie.delphij.net (71.5.7.139.ptr.us.xo.net [71.5.7.139]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 14038EB092A; Thu, 3 Jan 2008 10:12:05 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=kl25voxycPHbjGGgAMN6WbAbSuAINSAxC/htbTtSpP5JLLJNB0Ip9AXCyMus3+yPH 8LgjqEeIoiwSByYGMua5w== Message-ID: <477C4474.3000702@delphij.net> Date: Wed, 02 Jan 2008 18:12:04 -0800 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.9 (X11/20071125) MIME-Version: 1.0 To: Pawel Worach References: <477BE583.6080202@delphij.net> <477C423F.2020701@gmail.com> In-Reply-To: <477C423F.2020701@gmail.com> X-Enigmail-Version: 0.95.5 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-rc@FreeBSD.org, FreeBSD Current , d@delphij.net Subject: Re: [RFC] rc.d script for binding static arp pairs and logging options X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jan 2008 02:12:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pawel Worach wrote: > Xin LI wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi, >> >> Here is a rc.d script that I use on my own server, which provides two >> functionalities: >> >> - Bind ARP pairs specified in rc.conf (*); >> - Set ARP logging options (+). >> > > What about ethers(5) and arp -f, would that potentially pollute the arp > table with too much junk ? I think ethers(5) is designed for some other uses, i.e. it serves like hosts(5). It sounds like a good idea to utilize arp -f, do we have some easy way to unbind the pairs if we don't want -d -a? (Or we should not even bother to think about it?) Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHfER0i+vbBBjt66ARAktoAKDA58+Iq+0rPZq9e0uZsIIhNWO+DgCcCHrF /c/wj0lrdDaCOMc3rH9QNEw= =k0Lj -----END PGP SIGNATURE----- From owner-freebsd-rc@FreeBSD.ORG Thu Jan 3 02:27:41 2008 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CA3716A417 for ; Thu, 3 Jan 2008 02:27:41 +0000 (UTC) (envelope-from pawel.worach@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 2A8FD13C447 for ; Thu, 3 Jan 2008 02:27:40 +0000 (UTC) (envelope-from pawel.worach@gmail.com) Received: by ug-out-1314.google.com with SMTP id y2so3383023uge.37 for ; Wed, 02 Jan 2008 18:27:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=jngmgar7AhW9lKpHvJX8BBy5fZimqWFK6mWuljENo/M=; b=m6qs86VwXXdd+h7uKcl1xdetKDmDtg01LKXzlwOnZaE9fOeaB6CKmqlr21MCZ989KeqsjqX0RiKySCScPFCAu4V1RPEBb45y2nKJF//IplRXA5xVSYWlWrUQ9ZMOraRks/XGRMI2CDmaRaJHPbwPlvSHQjlQBsFDrL68BeKMCCQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=HLWOMb4VVpyncJMfyhe4fZbjFwKPxsbjjcG1EbvK9/gMTs+lLExnrRhSGQ4+aIc9/lAzP+zriCO3NVgFCh1dWPvdeIyKQ6Eq2SJt8vhZlmQQEf3Pe7OFonnJjGApvKBhCOhEF2FZz6Bk/wvfjb8ula5AFSyqblrh/taMsAfKdAo= Received: by 10.67.20.19 with SMTP id x19mr14768832ugi.48.1199325770360; Wed, 02 Jan 2008 18:02:50 -0800 (PST) Received: from ?192.168.10.200? ( [80.216.221.6]) by mx.google.com with ESMTPS id a1sm49438190ugf.78.2008.01.02.18.02.48 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 02 Jan 2008 18:02:48 -0800 (PST) Message-ID: <477C423F.2020701@gmail.com> Date: Thu, 03 Jan 2008 03:02:39 +0100 From: Pawel Worach User-Agent: Thunderbird 2.0.0.9 (X11/20071226) MIME-Version: 1.0 To: d@delphij.net References: <477BE583.6080202@delphij.net> In-Reply-To: <477BE583.6080202@delphij.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Current , freebsd-rc@FreeBSD.org Subject: Re: [RFC] rc.d script for binding static arp pairs and logging options X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jan 2008 02:27:41 -0000 Xin LI wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Here is a rc.d script that I use on my own server, which provides two > functionalities: > > - Bind ARP pairs specified in rc.conf (*); > - Set ARP logging options (+). > What about ethers(5) and arp -f, would that potentially pollute the arp table with too much junk ? -- Pawel