Date: Mon, 24 Sep 2001 13:59:42 +0300 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: "Gary W. Swearingen" <swear@blarg.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Any way to disable dynamic ARP? Message-ID: <20010924135942.D50028@sunbay.com> In-Reply-To: <ebitebytc7.teb@localhost.localdomain>; from swear@blarg.net on Sat, Sep 22, 2001 at 11:27:04AM -0700 References: <ebitebytc7.teb@localhost.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 22, 2001 at 11:27:04AM -0700, Gary W. Swearingen wrote: > Someone said that security could be improved by setting the IP/MAC > translation table (ARP table) statically. The "arp" command allows > that, but I don't see how to keep the kernel (?) from continuing to > poke around the network to set up additional translations dynamically. > > Do I make any sense? Is there some sysctl or other scheme for having > a static-only ARP table while allowing me to "publish" one address for > use by my external router which doesn't allow a static ARP table. (I > guess I want my firewall to be an ARP server, but not a client.) I > guess the fear is that a cracker taking over the router or, more likely, > a DMZ host could to bad things to the firewall's ARP-related routing. > ifconfig -arp ifX This was broken before this commit: : jlemon 2001/07/25 10:27:56 PDT : : Modified files: (Branch: RELENG_4) : sys/net if_ethersubr.c if_fddisubr.c : if_iso88025subr.c : sys/netinet if_ether.c : Log: : MFC: do not do arp send/resolve on interface marked NOARP. : : Revision Changes Path : 1.70.2.16 +6 -1 src/sys/net/if_ethersubr.c : 1.41.2.6 +3 -6 src/sys/net/if_fddisubr.c : 1.7.2.4 +5 -1 src/sys/net/if_iso88025subr.c : 1.64.2.11 +10 -2 src/sys/netinet/if_ether.c Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010924135942.D50028>