Date: Thu, 6 Dec 2001 23:14:01 -0800 From: "Crist J . Clark" <cristjc@earthlink.net> To: Bill Fenner <fenner@research.att.com> Cc: net@freebsd.org, security@freebsd.org Subject: Re: NOARP - gateway must answer and have frozen ARP table Message-ID: <20011206231401.N8975@blossom.cjclark.org> In-Reply-To: <200112062059.MAA02282@windsor.research.att.com>; from fenner@research.att.com on Thu, Dec 06, 2001 at 12:59:39PM -0800 References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org> <20011205231735.A1361@grosbein.pp.ru> <20011205193859.B79705@sunbay.com> <200112051835.fB5IZqH95521@whizzo.transsys.com> <20011205204526.B89520@sunbay.com> <200112051852.fB5IqmH95809@whizzo.transsys.com> <20011205121928.A3061@blossom.cjclark.org> <200112062059.MAA02282@windsor.research.att.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 06, 2001 at 12:59:39PM -0800, Bill Fenner wrote:
>
> Garrett and I discussed what IFF_NOARP should mean about 4-5 years
> ago; we decided that it probably menat "no ARP". We discussed
> the idea of seperating it out into two flags; "Don't reply to ARP"
> and "don't pay attention to ARP" but decided to wait and see what
> people thought. 4-5 years is probably enough time to wait =)
>
> My proposal: keep IFF_NOARP, but add IFF_NOSENDARP and IFF_NOREPLYARP
> (or something, I'm no good at making up names). I agree with Louie
> that it makes sense for these to be per-interface as opposed to
> Ruslan's sysctl.
If this is really want to do, I believe you can do it with existing
tools.
For simplicity, I'm just going to illustrate a way to set it up rather
than explain it. Store your IP-MAC address pairs in flat file as
proscribed in arp(8),
192.168.10.2 01:02:03:10:11:12
192.168.10.4 01:02:03:21:22:23
...
Load your permanent ARP table with a simple,
arp -f arp_list.txt
In the startup and include,
while read $IP $MAC; do
ipfw add pass ip from $IP to any via if0
ipfw add pass ip from any to $IP via if0
done < arp_list.txt
ipfw add deny ip from any to any via if0
In your rc.firewall.
Now you have a static ARP table and all traffic not from those IP
addresses is blocked. Since we never ARP for any other addresses, the
packets are blocked before we ARP for them, we never get other entries
in the ARP table.
At least I think this should do what you want. I still am not quite
sure what a "one-way ARP" is supposed to gain.
--
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011206231401.N8975>