From owner-freebsd-security  Sun Nov 26 12:32: 6 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id EA8CF37B479
	for <freebsd-security@freebsd.org>; Sun, 26 Nov 2000 12:32:01 -0800 (PST)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sun, 26 Nov 2000 12:30:25 -0800
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAQKVsg70697;
	Sun, 26 Nov 2000 12:31:54 -0800 (PST)
	(envelope-from cjc)
Date: Sun, 26 Nov 2000 12:31:53 -0800
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Dominick LaTrappe <seraf@2600.COM>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: static ARP tables
Message-ID: <20001126123153.D70192@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <200011252212.PAA26585@faith.cs.utah.edu> <Pine.NEB.4.21.0011261501020.15375-100000@phalse.2600.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.NEB.4.21.0011261501020.15375-100000@phalse.2600.com>; from seraf@2600.COM on Sun, Nov 26, 2000 at 03:10:16PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Nov 26, 2000 at 03:10:16PM -0500, Dominick LaTrappe wrote:
> On Sat, 25 Nov 2000 "David G. Andersen" <dga@pobox.com> wrote:
> >   When used in conjunction with switch-enfored MAC security, it's actually
> > quite useful.  You yourself state this;  I have a need for exactly this
> > kind of functionality for Utah's network testbed, actually.
> 
> What I'd really like to see is a 'static' flag that can be added to
> individual ARP table entries.  I have several networks with servers and
> routers whose MAC/IP/switchport associtions should never change, but also
> workstations that change all the time.
> 
> I'm going to try to work on a patch for this, though maybe someone already
> knows a hack?

  $ man arp
  .
  .
  .
       -s hostname ether_addr
               Create an ARP entry for the host called hostname with the Ether-
               net address ether_addr. The Ethernet address is given as six hex
               bytes separated by colons.  The entry will be permanent unless
               the word temp is given in the command.        ^^^^^^^^^

Writing a script to 'permanentize' an existing entry is
straightforward,


  #!/bin/sh
  #
  # arpperm
  #
  # Usage: arpperm hostname | ip

  ARP=/usr/sbin/arp

  if [ -z $1 ] || [ $# -gt 1 ]; then
    echo "Usage: $0 hostname | ip" >&2
    exit 1
  fi

  MAC=`$ARP -n $1 | cut -f4 -d" "`

  if expr $MAC : '[0-9a-f]*:[0-9a-f]*:[0-9a-f]*:[0-9a-f]*:[0-9a-f]*:[0-9a-f]*' > /dev/null 2>&1; then
    $ARP -S $1 $MAC
  else
    echo "$0: trouble getting MAC address" >&2
    exit 1
  fi

  exit 0

-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message