Date: Thu, 4 Apr 1996 12:39:39 -0800 (PST) From: Steve Reid <steve@edmweb.com> To: Livio Mazzon <lmazzon@acslink.net.au> Cc: freebsd-isp@freebsd.org Subject: Re: PPP Server and proxy-arp bug... Message-ID: <Pine.BSF.3.91.960404121131.2666A-100000@kirk.edmweb.com> In-Reply-To: <199604041407.AAA29231@peg.apc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm using 2.0.5 and intend to setup a PPP server. But I note, > Steve Reid <steve@edmweb.com> wrote: > >avoid the headaches of the proxy-arp bug. > What type of problems can I expect with the proxy-arp bug? > What is the bug? > Is it mandatory for my site (a production ISP) to change to 2.1, or is the > problem not an issue? You *can* use 2.0.5, and you should be able to use the in_rmx.c file from 2.1-stable to fix the proxy-arp bug. But, there are a few security holes in 2.0.5... There's the telnetd hole that will allow anyone who can place a file onto your filesystem to gain root access. There's the syslogd hole that allows anyone to overflow certain internal buffers and gain root access. There are probably others that I don't know about. With those holes, you can do one of three things: 1- Patch each one individually 2- Upgrade your entire system to 2.1 3- Leave everything as-is, and hope nobody notices. FreeBSD 2.1 is probably one of the best Un*xes when it comes to out-of-the-box security. Proxy-ARP creates an ARP entry that allows other systems on your LAN (including the router) to know that the IP address of the dial-in PPP user is on the same Ethernet address as the FreeBSD dial-in box. Thus, it allows communication between the dial-in PPP user and the Ethernet (and from the Ethernet to the rest of the Internet). The Proxy-ARP bug occasionally causes the ARP entry not to be erased when the user disconnects. When someone else tries to dial in and use the same IP address, the system won't be able to create the ARP entry for them, because the old one still exists. The result being that the user has to re-dialin and hope they get an IP address that works. Eventually, probably every IP address assigned to the modems will become unusable, until you go and delete the stale ARP entries by hand. A serious problem for ISPs using FreeBSD, but there is an easy fix... The new in_rmx.c file will automatically delete an ARP entry if the user dialing in needs a new ARP entry for that IP address. The stale ARP entries are still there, until someone new comes along and needs to use that entry. So, the old ARP entries are automatically deleted right before the point where they would cause the problem.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960404121131.2666A-100000>