Date: Wed, 24 Sep 2003 08:56:13 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: security@freebsd.org Subject: Possible (or possibly painful) workaround for FreeBSD-SA-03:14.arp Message-ID: <3F71BE9D.7000401@tenebras.com>
next in thread | raw e-mail | index | archive | help
Of course you should patch/upgrade, etc. A stopgap measure could be to use static ARP for a segment. I have done this for a long time with wireless hosts, since I'm in an urban environment with many visible nodes, some in autos, and ARP cache poisoning is a well-known DoS against wireless. You may find it extremely painful and less-than-useful to have static IP addrs, etc. for hosts. Here's a snippet of /usr/local/etc/rc.d/20-statarp.sh from my FreeBSD host (192.168.1.1) serving as a wireless router #! /bin/sh PATH=/usr/sbin:/sbin ifconfig wi0 -arp arp -d -a 2>&1 > /dev/null # wireless NICs arp -s 192.168.1.1 00:02:2d:0e:00:40 2>&1 > /dev/null arp -s 192.168.1.129 00:30:ab:14:11:46 2>&1 > /dev/null arp -s 192.168.1.130 00:30:ab:14:11:f6 2>&1 > /dev/null ###$# many entries deleted ... arp -s 192.168.1.195 00:30:ab:14:0f:89 2>&1 > /dev/null # end
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F71BE9D.7000401>