Date: Mon, 8 Jul 1996 09:32:15 -0400 (EDT) From: Brian Tao <taob@io.org> To: "Andrew V. Stesin" <stesin@elvisti.kiev.ua> Cc: FREEBSD-CURRENT-L <freebsd-current@freebsd.org> Subject: "ifconfig -arp" doesn't work? Message-ID: <Pine.NEB.3.92.960708092310.10129G-100000@zap.io.org> In-Reply-To: <199607080551.IAA05292@office.elvisti.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 8 Jul 1996, Andrew V. Stesin wrote:
>
> Dear Brian, if this approach will work for you,
> please, share your experience with us. (I didn't
> think about a situation with an "untrusted inside host" before,
> so I'm interested what the solution might be)
Andrew is referring to the "-arp" switch to ifconfig. I had asked
if it was possible for an Ethernet interface not to broadcast its MAC
address in response to an ARP query. Unfortunately, it doesn't seem
to work. :(
slam.io.org is the name of the firewall from the outside, and
zap.io.org is one of our public shell servers. Even with NOARP,
another server is still able to record slam's MAC address. I was
thinking of turning off broadcasts, but that would probably mess
others things up even more.
slam is 2.2-960612-SNAP, zap is 2.2-960501-SNAP.
slam# ifconfig de0
de0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1500
inet 198.133.36.2 netmask 0xffffff00 broadcast 198.133.36.255
ether 00:00:c0:53:c8:db
zap# arp -a | grep slam
zap# ping slam.io.org
PING slam.io.org (198.133.36.2): 56 data bytes
^C
--- slam.io.org ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
# arp -a | fgrep slam
slam.io.org (198.133.36.2) at 0:0:c0:53:c8:db
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960708092310.10129G-100000>