From owner-freebsd-questions Sat Sep 22 11:28: 8 2001 Delivered-To: freebsd-questions@freebsd.org Received: from lists.blarg.net (lists.blarg.net [206.124.128.17]) by hub.freebsd.org (Postfix) with ESMTP id 1168D37B405 for ; Sat, 22 Sep 2001 11:28:06 -0700 (PDT) Received: from thig.blarg.net (thig.blarg.net [206.124.128.18]) by lists.blarg.net (Postfix) with ESMTP id C1933BC84 for ; Sat, 22 Sep 2001 11:28:05 -0700 (PDT) Received: from localhost.localdomain ([206.124.139.115]) by thig.blarg.net (8.9.3/8.9.3) with ESMTP id LAA27110 for ; Sat, 22 Sep 2001 11:28:05 -0700 Received: (from jojo@localhost) by localhost.localdomain (8.11.3/8.11.3) id f8MIR5q52341; Sat, 22 Sep 2001 11:27:05 -0700 (PDT) (envelope-from swear@blarg.net) To: freebsd-questions@freebsd.org Subject: Any way to disable dynamic ARP? From: swear@blarg.net (Gary W. Swearingen) Date: 22 Sep 2001 11:27:04 -0700 Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Someone said that security could be improved by setting the IP/MAC translation table (ARP table) statically. The "arp" command allows that, but I don't see how to keep the kernel (?) from continuing to poke around the network to set up additional translations dynamically. Do I make any sense? Is there some sysctl or other scheme for having a static-only ARP table while allowing me to "publish" one address for use by my external router which doesn't allow a static ARP table. (I guess I want my firewall to be an ARP server, but not a client.) I guess the fear is that a cracker taking over the router or, more likely, a DMZ host could to bad things to the firewall's ARP-related routing. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message