From owner-freebsd-ipfw Tue Jun 25 20:39: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 68E7437B400 for ; Tue, 25 Jun 2002 20:39:03 -0700 (PDT) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 17N3fW-000C3L-00 for ipfw@freebsd.org; Wed, 26 Jun 2002 05:40:34 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.35 #1) id 17N3fV-000C30-00; Wed, 26 Jun 2002 05:40:33 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 17N3ee-000J1R-00; Wed, 26 Jun 2002 05:39:40 +0200 Date: Wed, 26 Jun 2002 05:39:40 +0200 From: Barry Irwin To: Luigi Rizzo Cc: Suresh Ramasamy , ipfw@freebsd.org Subject: Re: Question on Filtered Bridging and ARP takeovers Message-ID: <20020626053940.T46303@itouchlabs.com> References: <5.1.0.14.2.20020625120053.02bf64e8@pop.time.net.my> <5.1.0.14.2.20020625120053.02bf64e8@pop.time.net.my> <20020624215809.A21492@iguana.icir.org> <5.1.0.14.2.20020625130437.02cf03f0@pop.time.net.my> <20020625055457.B24694@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020625055457.B24694@iguana.icir.org>; from luigi@iet.unipi.it on Tue, Jun 25, 2002 at 05:54:57AM -0700 X-Checked: Scanned for any viruses and unauthorized attachments at mx1.dev.itouchnet.net X-iScan-ID: 46331-1025062834-61251@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG agreed. units that I've read about that implement this, usually release their ARP as soonas they see a system reply with a valid response to an arp request, such as when a new system is turned on. I have not heard f one like this that uses ICMP to check the availability, but rather thy monito unanswered arp requests. Barry On Tue 2002-06-25 (05:54), Luigi Rizzo wrote: > > sounds like it is the "new firewall" that is broken, not FreeBSD! > > cheers > luigi > > On Tue, Jun 25, 2002 at 01:24:51PM +0800, Suresh Ramasamy wrote: > > Thanks Luigi, > > > > I've installed a filtered bridging running on FreeBSD 4.5 Stable > > with these config > > > > WAN ---------- FB (10.10.68.181) ---- Client (10.10.68.222) > > | > > +---------- the rest of 10.10.68.x > > > > Recently, a new firewall was introduced and this firewall was using an > > active ARP > > scanning that "overtakes" IP that does not respond to ping. > > > > The client 68.222 is ICMP disabled with only a few TCP ports open. > > What i noticed is that when I ping from WAN segment to the client, > > in the FB, it shows that ARP is taken over by the rogue firewall. > > > > Temporary Workaround > > > > I added a static ARP entry onto FB (arp -S 10.10.68.222 mac_address pub) to > > publish the ARP into the network segment switch. > > > > Or is there a documented workaround? > > > > > > Q: Should the bridge function on FreeBSD address the ARP poisoning issue? > > If so, I would like to recommend an addition of this into the bridge function > > to identify network at the other end and establish an arp broadcasting > > function for > > the segment behind the filtered bridging. > > > > At 12:58 PM 6/25/2002, you wrote: > > >On Tue, Jun 25, 2002 at 12:01:46PM +0800, Suresh Ramasamy wrote: > > > > I have a question on FreeBSD filtered bridging and ARP > > > > takeovers. Could i direct the question to you, or specifically to > > > > a mailing list? > > > > > >just ask both me and ipfw@freebsd.org > > > > > >luigi > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message