From owner-freebsd-security  Mon Jul  1 08:28:55 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id IAA04315
          for security-outgoing; Mon, 1 Jul 1996 08:28:55 -0700 (PDT)
Received: from rocky.mt.sri.com ([206.127.76.100])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA04308
          for <freebsd-security@freebsd.org>; Mon, 1 Jul 1996 08:28:50 -0700 (PDT)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id JAA09543; Mon, 1 Jul 1996 09:28:42 -0600 (MDT)
Date: Mon, 1 Jul 1996 09:28:42 -0600 (MDT)
Message-Id: <199607011528.JAA09543@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
To: Brian Tao <taob@io.org>
Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: Possible to block ARP?
In-Reply-To: <Pine.NEB.3.92.960701105220.16306A-100000@zap.io.org>
References: <Pine.NEB.3.92.960701105220.16306A-100000@zap.io.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>     I'm trying to make my firewall totally invisible to certain
> machines on my network.  The only thing I can't seem to get rid of is
> its entry in the ARP tables when someone tries to pings its IP
> address.  Is this possible?

Do you have access to the machine in question?  If so, you can 'add' a
permanent fake-ARP entry on that box, which would be easier than trying
to add a kernel hack to avoid having it's ARP entry published.

Find an ethernet address of a machine that doesn't exist on your network
(feel free to use this one '00:00:c0:50:b9:0a') and tell the machines
you don't want to have access to your firewall that this is the entry
for that machine.

ie;

# arp -s firewall.brian.tao 00:00:c0:50:b9:0a pub
# ping firewall.brian.tao
[ Nothing ]

If you don't have access to those machines, then there's no easy way of
'selectively' responding to ARP requests depending on the originator.



Nate