From owner-freebsd-current  Mon Jul  8 06:38:29 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id GAA04322
          for current-outgoing; Mon, 8 Jul 1996 06:38:29 -0700 (PDT)
Received: from post.io.org (post.io.org [198.133.36.6])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA04315
          for <freebsd-current@freebsd.org>; Mon, 8 Jul 1996 06:38:25 -0700 (PDT)
Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id JAA18596; Mon, 8 Jul 1996 09:32:15 -0400 (EDT)
Date: Mon, 8 Jul 1996 09:32:15 -0400 (EDT)
From: Brian Tao <taob@io.org>
To: "Andrew V. Stesin" <stesin@elvisti.kiev.ua>
cc: FREEBSD-CURRENT-L <freebsd-current@freebsd.org>
Subject: "ifconfig -arp" doesn't work?
In-Reply-To: <199607080551.IAA05292@office.elvisti.kiev.ua>
Message-ID: <Pine.NEB.3.92.960708092310.10129G-100000@zap.io.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 8 Jul 1996, Andrew V. Stesin wrote:
>
> 	Dear Brian, if this approach will work for you,
> 	please, share your experience with us.  (I didn't
> 	think about a situation with an "untrusted inside host" before,
> 	so I'm interested what the solution might be)

    Andrew is referring to the "-arp" switch to ifconfig.  I had asked
if it was possible for an Ethernet interface not to broadcast its MAC
address in response to an ARP query.  Unfortunately, it doesn't seem
to work.  :(

    slam.io.org is the name of the firewall from the outside, and
zap.io.org is one of our public shell servers.  Even with NOARP,
another server is still able to record slam's MAC address.  I was
thinking of turning off broadcasts, but that would probably mess
others things up even more.

    slam is 2.2-960612-SNAP, zap is 2.2-960501-SNAP.

slam# ifconfig de0
de0: flags=88c3<UP,BROADCAST,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1500
        inet 198.133.36.2 netmask 0xffffff00 broadcast 198.133.36.255
        ether 00:00:c0:53:c8:db

zap# arp -a | grep slam
zap# ping slam.io.org
PING slam.io.org (198.133.36.2): 56 data bytes
^C
--- slam.io.org ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
# arp -a | fgrep slam
slam.io.org (198.133.36.2) at 0:0:c0:53:c8:db

--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"