Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 26 Nov 2000 11:00:43 -0800
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        Gerhard Sittig <Gerhard.Sittig@gmx.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: static ARP tables
Message-ID:  <20001126110042.B34151@149.211.6.64.reflexcom.com>
In-Reply-To: <20001126085514.H27042@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Sun, Nov 26, 2000 at 08:55:14AM %2B0100
References:  <Pine.NEB.4.21.0011241617180.25280-100000@phalse.2600.com> <200011252212.PAA26585@faith.cs.utah.edu> <20001126085514.H27042@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Nov 26, 2000 at 08:55:14AM +0100, Gerhard Sittig wrote:
> On Sat, Nov 25, 2000 at 15:12 -0700, David G. Andersen wrote:
> > 
> > You have a point, of course;  this shouldn't be plugged as "the
> > perfect solution for ip-based authentication," because it does
> > have many holes of which a user must be aware, but it's a very
> > nice thing to have around, and I'd love to see it controllable
> > via rc.conf.
> 
> OK, I took this point I wasn't quite aware before.  Of course
> every security measure does not stand alone but every single one
> contributes to raising the bar for the bad guys and avoid the
> legitimate users from doing harm to themselves as well as others.
> 
> > One thing that would be nice from my perspective would be the
> > ability to specify an external file that contains the static
> > ARP entries, e.g.
> > 
> >   static_arp_table="/etc/arpfile"
> > 
> > (The same kind of functionality currently provided by
> > rc.firewall).
> 
> You might want to followup to the PR (to have it in the audit
> trail) with a patch that makes the table fill in loop read
> something like
> 
> case ${static_arp_table} in
> /*)
>     # file name specified
>     while read ADDR; do
>       ...
>     done < ${static_arp_table}
>     ;;
> [1-9]*)
>     # starts with an IP address
>     for ADDR in ${static_arp_table}; do
>       ...
>     done
>     ;;
> esac

The arp(8) command does have an option to read a file already. See the
'-f' option.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001126110042.B34151>