From owner-freebsd-security  Wed Dec  5  8:18:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from D00015.dialonly.kemerovo.su (www2.svzserv.kemerovo.su [213.184.65.86])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7D5CA37B416; Wed,  5 Dec 2001 08:18:05 -0800 (PST)
Received: (from eugen@localhost)
	by D00015.dialonly.kemerovo.su (8.11.6/8.11.4) id fB5GHZt01557;
	Wed, 5 Dec 2001 23:17:35 +0700 (KRAT)
	(envelope-from eugen)
Date: Wed, 5 Dec 2001 23:17:35 +0700
From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: "Crist J . Clark" <cjc@FreeBSD.ORG>
Cc: security@FreeBSD.ORG, net@FreeBSD.ORG
Subject: Re: NOARP - gateway must answer and have frozen ARP table
Message-ID: <20011205231735.A1361@grosbein.pp.ru>
References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011205040316.H40864@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Wed, Dec 05, 2001 at 04:03:16AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Dec 05, 2001 at 04:03:16AM -0800, Crist J . Clark wrote:

> > Not sure what is correct list, this is about network security.
> > Flag NOARP did not work for ethernet interface before 4.4-RELEASE.
> > We needed static ARP table so used local patch for it.
> > 4.4-RELEASE implemented NOARP but in the different way.
> See PR 31873.

I have read this PR and other discussions. 
And I want to say that this 'intended' behavour is useless for some
configurations. A machine acting as public gateway must respond 
to ARP requests for its IP. And it often must not allow modifying 
its ARP table. So I'm asking to have another behavour as an option. 
Perhaps, tunable as sysctl.

We use this scheme several years in production, keeping our local patches.
It seems this scheme is used widely, I've seen several different patches
implementing this since 2.2.x. We use one of them.

Eugene Grosbein.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message