Date: Sat, 08 Dec 2001 14:51:44 +0700 From: Eugene Grosbein <eugen@svzserv.kemerovo.su> To: cjclark@alum.mit.edu Cc: Bill Fenner <fenner@research.att.com>, net@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: NOARP - gateway must answer and have frozen ARP table Message-ID: <3C11C690.A520577@svzserv.kemerovo.su> References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org> <20011205231735.A1361@grosbein.pp.ru> <20011205193859.B79705@sunbay.com> <200112051835.fB5IZqH95521@whizzo.transsys.com> <20011205204526.B89520@sunbay.com> <200112051852.fB5IqmH95809@whizzo.transsys.com> <20011205121928.A3061@blossom.cjclark.org> <200112062059.MAA02282@windsor.research.att.com> <20011206231401.N8975@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> If this is really want to do, I believe you can do it with existing > tools. > > For simplicity, I'm just going to illustrate a way to set it up rather > than explain it. Store your IP-MAC address pairs in flat file as > proscribed in arp(8), > > 192.168.10.2 01:02:03:10:11:12 > 192.168.10.4 01:02:03:21:22:23 > ... > > Load your permanent ARP table with a simple, > > arp -f arp_list.txt > > In the startup and include, > > while read $IP $MAC; do > ipfw add pass ip from $IP to any via if0 > ipfw add pass ip from any to $IP via if0 > done < arp_list.txt > > ipfw add deny ip from any to any via if0 > > In your rc.firewall. > > Now you have a static ARP table and all traffic not from those IP > addresses is blocked. Since we never ARP for any other addresses, the > packets are blocked before we ARP for them, we never get other entries > in the ARP table. Yes, this should work. But we have many clients at the interface and IPFW table pollution is undesirable. This also increases complexity of IPWF configuration and this complexity seems to be ill-founded (at least for me) as we have a way to ignore APR. At the other hand ingorance of false ARP replies will make ARP spoofing useless at least if MAC addresses have not changed. Administrative arrangements and arpwatch helps us to deal with such klever users. > At least I think this should do what you want. I still am not quite > sure what a "one-way ARP" is supposed to gain. We need gateway be usable for our clients without forcing them to use static ARP themselves. We do not want to see unregistered machines in public segment. We also will be happy keeping our registration procedures, configs and kernel tables as simple as possible. Sysctl changing the meaning of IFF_NOARP flags would be nice solution. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C11C690.A520577>