Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Feb 2001 13:43:05 -0800 (PST)
From:      Rich Wales <richw@webcom.com>
To:        Luigi Rizzo <rizzo@aciri.org>
Cc:        Julian Elischer <julian@elischer.org>, patrick@netzuno.com, freebsd-net@FreeBSD.ORG, julian@FreeBSD.ORG
Subject:   Dueling ARP replies and firewall filtering
Message-ID:  <20010206212535.24026.richw@wyattearp.stanford.edu>
In-Reply-To: <20010206190650.09873.richw@wyattearp.stanford.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
Another thought about the "dueling ARP reply" issue.

In one way, I suppose it's not a serious problem, because even if
the "wrong" hardware address gets cached, packets still get through,
and communication is not cut off.

On the other hand, it =may= be a problem from a security standpoint.
Suppose I want to protect myself from spoofing attacks, by ensuring
that traffic from a given IP address only uses a specific interface.

In my case, since I =know= that my desktop is connected to my bridge
via the bridge's "rl0" NIC, any traffic arriving on the bridge's "xl0"
NIC (my link to the Internet at large) -- but claiming to be from the
desktop's IP address -- is clearly a sign of an impostor trying to
break into my network.

Now, if I were using a conventional (non-bridge) router, I could pro-
tect myself from such spoof attacks by tailoring my firewall rules to
match the receiving interface, as well as the IP address.  I =think=
I should be able to do the same with a bridging router too, but will
this work if the desktop is using the "wrong" MAC address to contact
the bridge?

Stated another way, if my desktop thinks that the bridge's MAC address
is the address of its "xl0" NIC, does this mean that traffic arriving
on the bridge from the desktop will appear (for firewall purposes) to
be arriving via "xl0" -- even though it really came in via "rl0"?

Julian, when the firewall code (ipfw or ipfilter, I don't really care
which) is finally integrated into the netgraph bridge code, will this
issue be taken into account?

Rich Wales         richw@webcom.com         http://www.webcom.com/richw/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010206212535.24026.richw>