From owner-freebsd-security Thu Dec 6 23:15: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from snipe.prod.itd.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id 9B0C337B405; Thu, 6 Dec 2001 23:14:53 -0800 (PST) Received: from dialup-209.245.134.25.dial1.sanjose1.level3.net ([209.245.134.25] helo=blossom.cjclark.org) by snipe.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16CFDJ-0006jH-00; Thu, 06 Dec 2001 23:14:48 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fB77E1e12693; Thu, 6 Dec 2001 23:14:01 -0800 (PST) (envelope-from cjc) Date: Thu, 6 Dec 2001 23:14:01 -0800 From: "Crist J . Clark" To: Bill Fenner Cc: net@freebsd.org, security@freebsd.org Subject: Re: NOARP - gateway must answer and have frozen ARP table Message-ID: <20011206231401.N8975@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011205124430.A83642@svzserv.kemerovo.su> <20011205040316.H40864@blossom.cjclark.org> <20011205231735.A1361@grosbein.pp.ru> <20011205193859.B79705@sunbay.com> <200112051835.fB5IZqH95521@whizzo.transsys.com> <20011205204526.B89520@sunbay.com> <200112051852.fB5IqmH95809@whizzo.transsys.com> <20011205121928.A3061@blossom.cjclark.org> <200112062059.MAA02282@windsor.research.att.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200112062059.MAA02282@windsor.research.att.com>; from fenner@research.att.com on Thu, Dec 06, 2001 at 12:59:39PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 06, 2001 at 12:59:39PM -0800, Bill Fenner wrote: > > Garrett and I discussed what IFF_NOARP should mean about 4-5 years > ago; we decided that it probably menat "no ARP". We discussed > the idea of seperating it out into two flags; "Don't reply to ARP" > and "don't pay attention to ARP" but decided to wait and see what > people thought. 4-5 years is probably enough time to wait =) > > My proposal: keep IFF_NOARP, but add IFF_NOSENDARP and IFF_NOREPLYARP > (or something, I'm no good at making up names). I agree with Louie > that it makes sense for these to be per-interface as opposed to > Ruslan's sysctl. If this is really want to do, I believe you can do it with existing tools. For simplicity, I'm just going to illustrate a way to set it up rather than explain it. Store your IP-MAC address pairs in flat file as proscribed in arp(8), 192.168.10.2 01:02:03:10:11:12 192.168.10.4 01:02:03:21:22:23 ... Load your permanent ARP table with a simple, arp -f arp_list.txt In the startup and include, while read $IP $MAC; do ipfw add pass ip from $IP to any via if0 ipfw add pass ip from any to $IP via if0 done < arp_list.txt ipfw add deny ip from any to any via if0 In your rc.firewall. Now you have a static ARP table and all traffic not from those IP addresses is blocked. Since we never ARP for any other addresses, the packets are blocked before we ARP for them, we never get other entries in the ARP table. At least I think this should do what you want. I still am not quite sure what a "one-way ARP" is supposed to gain. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message