Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Sep 2001 13:59:42 +0300
From:      Ruslan Ermilov <ru@FreeBSD.ORG>
To:        "Gary W. Swearingen" <swear@blarg.net>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Any way to disable dynamic ARP?
Message-ID:  <20010924135942.D50028@sunbay.com>
In-Reply-To: <ebitebytc7.teb@localhost.localdomain>; from swear@blarg.net on Sat, Sep 22, 2001 at 11:27:04AM -0700
References:  <ebitebytc7.teb@localhost.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Sep 22, 2001 at 11:27:04AM -0700, Gary W. Swearingen wrote:
> Someone said that security could be improved by setting the IP/MAC
> translation table (ARP table) statically.  The "arp" command allows
> that, but I don't see how to keep the kernel (?) from continuing to
> poke around the network to set up additional translations dynamically.
> 
> Do I make any sense?  Is there some sysctl or other scheme for having
> a static-only ARP table while allowing me to "publish" one address for
> use by my external router which doesn't allow a static ARP table.  (I
> guess I want my firewall to be an ARP server, but not a client.)  I
> guess the fear is that a cracker taking over the router or, more likely,
> a DMZ host could to bad things to the firewall's ARP-related routing.
> 
ifconfig -arp ifX

This was broken before this commit:

: jlemon      2001/07/25 10:27:56 PDT
: 
:   Modified files:        (Branch: RELENG_4)
:     sys/net              if_ethersubr.c if_fddisubr.c
:                          if_iso88025subr.c
:     sys/netinet          if_ether.c
:   Log:
:   MFC: do not do arp send/resolve on interface marked NOARP.
: 
:   Revision   Changes    Path
:   1.70.2.16  +6 -1      src/sys/net/if_ethersubr.c
:   1.41.2.6   +3 -6      src/sys/net/if_fddisubr.c
:   1.7.2.4    +5 -1      src/sys/net/if_iso88025subr.c
:   1.64.2.11  +10 -2     src/sys/netinet/if_ether.c


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010924135942.D50028>