Date: Wed, 5 Dec 2001 23:17:35 +0700 From: Eugene Grosbein <eugen@grosbein.pp.ru> To: "Crist J . Clark" <cjc@FreeBSD.ORG> Cc: security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: NOARP - gateway must answer and have frozen ARP table Message-ID: <20011205231735.A1361@grosbein.pp.ru> In-Reply-To: <20011205040316.H40864@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Wed, Dec 05, 2001 at 04:03:16AM -0800 References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 05, 2001 at 04:03:16AM -0800, Crist J . Clark wrote: > > Not sure what is correct list, this is about network security. > > Flag NOARP did not work for ethernet interface before 4.4-RELEASE. > > We needed static ARP table so used local patch for it. > > 4.4-RELEASE implemented NOARP but in the different way. > See PR 31873. I have read this PR and other discussions. And I want to say that this 'intended' behavour is useless for some configurations. A machine acting as public gateway must respond to ARP requests for its IP. And it often must not allow modifying its ARP table. So I'm asking to have another behavour as an option. Perhaps, tunable as sysctl. We use this scheme several years in production, keeping our local patches. It seems this scheme is used widely, I've seen several different patches implementing this since 2.2.x. We use one of them. Eugene Grosbein. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011205231735.A1361>