Date: Sun, 10 Oct 1999 09:49:31 +0200 From: sthaug@nethelp.no To: julian@whistle.com Cc: aron@cs.rice.edu, freebsd-net@FreeBSD.ORG, justin@apple.com, alc@cs.rice.edu, wollman@khavrinen.lcs.mit.edu Subject: Re: arp errors on machines with two interfaces Message-ID: <70639.939541771@verdi.nethelp.no> In-Reply-To: Your message of "Sat, 9 Oct 1999 14:06:54 -0700 (PDT)" References: <Pine.BSF.4.05.9910091356490.53621-100000@home.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> He does have a point however.. ARP packets that are not for the networks > that are on teh receiving NIC could probably be safely discarded without > effecting the way that the system supports the spec. I think it's vague on > this point, and we SEE that other people do similar. I would actually > thinkmthat it would be a security imporovement. > I don't think we should accept cofiguration or routing information from > machines that are not on the right network. > > If I had one net inside a firewall and one outside, I don't want to > recieve ARP packets from the outside that are influencing my internal > routint (arp) table. If I had one inside net and one outside net connected to the same switch, and *no* VLAN or segmentation on the switch (due to some kind of switch misconfiguration), I certainly would like FreeBSD to tell me about this misconfiguration - for instance by a suitable ARP error messge. (This is not just theoretical. I've seen organizations buy an expensive firewall, only to connect both the inside and outside nets to the same hub!) Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70639.939541771>