From owner-freebsd-isp@FreeBSD.ORG  Fri Sep 26 00:08:10 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C244E16A4BF
	for <freebsd-isp@freebsd.org>; Fri, 26 Sep 2003 00:08:10 -0700 (PDT)
Received: from avalon.pptus.ru (avalon.pptus.ru [212.73.100.133])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6877143FE3
	for <freebsd-isp@freebsd.org>; Fri, 26 Sep 2003 00:08:09 -0700 (PDT)
	(envelope-from alexei@pptus.ru)
Received: from avalon.pptus.ru (avalon.pptus.ru [212.73.100.133])
	by avalon.pptus.ru (Postfix) with ESMTP id 4992FF84E
	for <freebsd-isp@freebsd.org>; Fri, 26 Sep 2003 11:08:05 +0400 (MSD)
Date: Fri, 26 Sep 2003 11:08:05 +0400 (MSD)
From: Alexei Evdokimov <alexei@pptus.ru>
To: freebsd-isp@freebsd.org
In-Reply-To: <20030926095646.E96986@avalon.pptus.ru>
Message-ID: <20030926104610.U96986@avalon.pptus.ru>
References: <4878.62.142.81.6.1064386090.squirrel@redbull.tiscali.fi>
 <20030926095646.E96986@avalon.pptus.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: static ARP
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2003 07:08:10 -0000

On Fri, 26 Sep 2003, Alexei Evdokimov wrote:

> > I was thinking about the following scenario. I have one interface in my
> > BSD router that serves a private network.
> >
> > Is it possible to disable ARP on that interface and make static ARP
> > entries on router? I'm looking for a way to allow only certain MAC
> > addresses to access via this interface. I do know it's only false
> > security, but it would prevent people adding easily unauthorized
> > computers. And since there are only about 10 comps in this particular
> > network, maintaining static ARP entries would not be worksome.
> >
> > I would not like to get into bridging if this works.
>
> Parameter -arp will disable ARP on the interface:
>
>     ifconfig ... -arp
>
> To set static ARP table write authorized pairs ip:mac in a file
> and load it it in the table:
>
>     arp -f file

Unfortunatly with -arp parameter the router won't reply to ARP
request about his address so you need to manually add ARP record
about the router to each host's ARP table or you can try Ruslan
Ermilov's patch (posted in freebsd security list a couple days
ago) which solve this problem.

-- 
Alexei Evdokimov
alexei@pptus.ru