From owner-freebsd-isp@FreeBSD.ORG Fri Sep 26 00:08:10 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C244E16A4BF for ; Fri, 26 Sep 2003 00:08:10 -0700 (PDT) Received: from avalon.pptus.ru (avalon.pptus.ru [212.73.100.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6877143FE3 for ; Fri, 26 Sep 2003 00:08:09 -0700 (PDT) (envelope-from alexei@pptus.ru) Received: from avalon.pptus.ru (avalon.pptus.ru [212.73.100.133]) by avalon.pptus.ru (Postfix) with ESMTP id 4992FF84E for ; Fri, 26 Sep 2003 11:08:05 +0400 (MSD) Date: Fri, 26 Sep 2003 11:08:05 +0400 (MSD) From: Alexei Evdokimov To: freebsd-isp@freebsd.org In-Reply-To: <20030926095646.E96986@avalon.pptus.ru> Message-ID: <20030926104610.U96986@avalon.pptus.ru> References: <4878.62.142.81.6.1064386090.squirrel@redbull.tiscali.fi> <20030926095646.E96986@avalon.pptus.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: static ARP X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2003 07:08:10 -0000 On Fri, 26 Sep 2003, Alexei Evdokimov wrote: > > I was thinking about the following scenario. I have one interface in my > > BSD router that serves a private network. > > > > Is it possible to disable ARP on that interface and make static ARP > > entries on router? I'm looking for a way to allow only certain MAC > > addresses to access via this interface. I do know it's only false > > security, but it would prevent people adding easily unauthorized > > computers. And since there are only about 10 comps in this particular > > network, maintaining static ARP entries would not be worksome. > > > > I would not like to get into bridging if this works. > > Parameter -arp will disable ARP on the interface: > > ifconfig ... -arp > > To set static ARP table write authorized pairs ip:mac in a file > and load it it in the table: > > arp -f file Unfortunatly with -arp parameter the router won't reply to ARP request about his address so you need to manually add ARP record about the router to each host's ARP table or you can try Ruslan Ermilov's patch (posted in freebsd security list a couple days ago) which solve this problem. -- Alexei Evdokimov alexei@pptus.ru