From owner-freebsd-net Tue Feb 6 13:44:28 2001 Delivered-To: freebsd-net@freebsd.org Received: from wyattearp.stanford.edu (wyattearp.Stanford.EDU [171.64.180.171]) by hub.freebsd.org (Postfix) with ESMTP id 5713337B401; Tue, 6 Feb 2001 13:44:11 -0800 (PST) Received: (from richw@localhost) by wyattearp.stanford.edu (8.9.3/8.9.3) id NAA25812; Tue, 6 Feb 2001 13:43:05 -0800 (PST) (envelope-from richw) Date: Tue, 6 Feb 2001 13:43:05 -0800 (PST) From: Rich Wales X-Sender: richw@wyattearp.stanford.edu To: Luigi Rizzo Cc: Julian Elischer , patrick@netzuno.com, freebsd-net@FreeBSD.ORG, julian@FreeBSD.ORG Subject: Dueling ARP replies and firewall filtering In-Reply-To: <20010206190650.09873.richw@wyattearp.stanford.edu> Message-ID: <20010206212535.24026.richw@wyattearp.stanford.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Another thought about the "dueling ARP reply" issue. In one way, I suppose it's not a serious problem, because even if the "wrong" hardware address gets cached, packets still get through, and communication is not cut off. On the other hand, it =may= be a problem from a security standpoint. Suppose I want to protect myself from spoofing attacks, by ensuring that traffic from a given IP address only uses a specific interface. In my case, since I =know= that my desktop is connected to my bridge via the bridge's "rl0" NIC, any traffic arriving on the bridge's "xl0" NIC (my link to the Internet at large) -- but claiming to be from the desktop's IP address -- is clearly a sign of an impostor trying to break into my network. Now, if I were using a conventional (non-bridge) router, I could pro- tect myself from such spoof attacks by tailoring my firewall rules to match the receiving interface, as well as the IP address. I =think= I should be able to do the same with a bridging router too, but will this work if the desktop is using the "wrong" MAC address to contact the bridge? Stated another way, if my desktop thinks that the bridge's MAC address is the address of its "xl0" NIC, does this mean that traffic arriving on the bridge from the desktop will appear (for firewall purposes) to be arriving via "xl0" -- even though it really came in via "rl0"? Julian, when the firewall code (ipfw or ipfilter, I don't really care which) is finally integrated into the netgraph bridge code, will this issue be taken into account? Rich Wales richw@webcom.com http://www.webcom.com/richw/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message