From owner-freebsd-security Tue Dec 4 21:44:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id D340C37B419; Tue, 4 Dec 2001 21:44:27 -0800 (PST) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.11.6/8.11.6) id fB55iUE84014; Wed, 5 Dec 2001 12:44:30 +0700 (KRAT) (envelope-from eugen) Date: Wed, 5 Dec 2001 12:44:30 +0700 From: Eugene Grosbein To: security@freebsd.org Cc: net@freebsd.org Subject: NOARP - gateway must answer and have frozen ARP table Message-ID: <20011205124430.A83642@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Not sure what is correct list, this is about network security. Flag NOARP did not work for ethernet interface before 4.4-RELEASE. We needed static ARP table so used local patch for it. 4.4-RELEASE implemented NOARP but in the different way. Now a router even does not respond to clients asking for its link address, that is not very wise. We cannot force all our clients to use static ARP entries for our router (their gateway). So we patched 4.4 sources again. The needed behavour is static ARP table filled at boot time with arp(8) and there must be answers for router's own ethernet address. Can there be an option to enable this behavour in FreeBSD distribution? Here is a patch for 4.4. Please review. --- netinet/if_ether.c.orig Mon Aug 6 15:26:06 2001 +++ netinet/if_ether.c Sun Nov 11 21:01:07 2001 @@ -408,8 +408,10 @@ * Probably should not allocate empty llinfo struct if we are * not going to be sending out an arp request. */ +/*VK if (ac->ac_if.if_flags & IFF_NOARP) return (0); +VK*/ /* * There is an arptab entry, but no ethernet address * response yet. Replace the held mbuf with this @@ -580,6 +582,7 @@ itaddr = myaddr; goto reply; } +/*VV*/ if (!(ac->ac_if.if_flags & IFF_NOARP)) { la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0); if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) { /* the following is not an error when doing bridging */ @@ -651,6 +654,7 @@ la->la_hold = 0; } } +/*VV*/ } reply: if (op != ARPOP_REQUEST) { m_freem(m); --- net/if_ethersubr.c.orig Wed Nov 7 22:34:36 2001 +++ net/if_ethersubr.c Sun Nov 11 21:10:20 2001 @@ -554,11 +554,12 @@ break; case ETHERTYPE_ARP: - if (ifp->if_flags & IFF_NOARP) { +/*VK if (ifp->if_flags & IFF_NOARP) { VK*/ /* Discard packet if ARP is disabled on interface */ - m_freem(m); +/*VK m_freem(m); return; } +VK*/ schednetisr(NETISR_ARP); inq = &arpintrq; break; Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message