Date: Wed, 14 Feb 2007 14:19:25 +0300 From: Vladimir Kapustin <msgs_for_me@mail.ru> To: freebsd-net@freebsd.org Subject: Strange behavior with arp permanent entries Message-ID: <319763897.20070214141925@mail.ru>
next in thread | raw e-mail | index | archive | help
>Hello, Guys!
>
>I'm trying to restrict some LAN access by arp permanent entries. But it
>didn't work or it didn't work as I realize it. For example I have the
>following perm entries:
>
>
>user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan]
>user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan]
>
>
>And from what I realize if the user1 attempts to use user2's IP address.
>The Router should block all packets which coming from wrong physical
>address. But actually that didn't happen and user1 can use user2's IP
>address without any problems.
>
>
>Maybe someone of you will advice me to use ipfw arp rules but when I turn
>net.link.ether.ipfw ON I'm getting very low performance from the router.
>We talking about 800mbps and 600k packets per second, and many users which
>means many ipfw arp rules.
>
>
>System1 info:
>FreeBSD 6.2-RELEASE
>Intel(R) Xeon(R) CPU 5130 @ 2.00GHz
>1G ram
>
>System2 info:
>
>......................................
man arp :
...................
-s hostname ether_addr
Create an ARP entry for the host called hostname with the Ether-
net address ether_addr. The Ethernet address is given as six hex
bytes separated by colons. The entry will be permanent unless
the word temp is given in the command. If the word pub is given,
the entry will be ``published''; i.e., this system will act as an
ARP server, responding to requests for hostname even though the
host address is not its own. In this case the ether_addr can be
given as auto in which case the interfaces on this host will be
examined, and if one of them is found to occupy the same subnet,
its Ethernet address will be used. If the only keyword is also
specified, this will create a ``published (proxy only)'' entry.
This type of entry is created automatically if arp detects that a
routing table entry for hostname already exists.
-S hostname ether_addr
Is just like -s except any existing ARP entry for this host will
be deleted first.
.......................
I have:
root@router1# arp -a | wc -l
927
root@router1# arp -a | less
? (10.3.13.5) at 00:e0:4d:01:cb:09 on vlan313 permanent published [vlan]
? (10.3.13.7) at 00:0d:61:1c:b0:b6 on vlan313 permanent published [vlan]
? (10.3.13.14) at 00:11:d8:e8:db:0a on vlan313 permanent published [vlan]
.........................
with the rules:
arp -S IP mac pub
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?319763897.20070214141925>