From owner-freebsd-net Sun Oct 10 0:49:39 1999 Delivered-To: freebsd-net@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 5EA5315104 for ; Sun, 10 Oct 1999 00:49:32 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 70641 invoked by uid 1001); 10 Oct 1999 07:49:31 +0000 (GMT) To: julian@whistle.com Cc: aron@cs.rice.edu, freebsd-net@FreeBSD.ORG, justin@apple.com, alc@cs.rice.edu, wollman@khavrinen.lcs.mit.edu Subject: Re: arp errors on machines with two interfaces From: sthaug@nethelp.no In-Reply-To: Your message of "Sat, 9 Oct 1999 14:06:54 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 10 Oct 1999 09:49:31 +0200 Message-ID: <70639.939541771@verdi.nethelp.no> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > He does have a point however.. ARP packets that are not for the networks > that are on teh receiving NIC could probably be safely discarded without > effecting the way that the system supports the spec. I think it's vague on > this point, and we SEE that other people do similar. I would actually > thinkmthat it would be a security imporovement. > I don't think we should accept cofiguration or routing information from > machines that are not on the right network. > > If I had one net inside a firewall and one outside, I don't want to > recieve ARP packets from the outside that are influencing my internal > routint (arp) table. If I had one inside net and one outside net connected to the same switch, and *no* VLAN or segmentation on the switch (due to some kind of switch misconfiguration), I certainly would like FreeBSD to tell me about this misconfiguration - for instance by a suitable ARP error messge. (This is not just theoretical. I've seen organizations buy an expensive firewall, only to connect both the inside and outside nets to the same hub!) Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message