From owner-freebsd-bugs  Thu Nov 23 19:20:11 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id D16C637B4C5
	for <freebsd-bugs@FreeBSD.org>; Thu, 23 Nov 2000 19:20:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id TAA03309;
	Thu, 23 Nov 2000 19:20:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from mail.gmx.net (pop.gmx.net [194.221.183.20])
	by hub.freebsd.org (Postfix) with SMTP id 8C4C937B4D7
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Nov 2000 19:15:39 -0800 (PST)
Received: (qmail 8665 invoked by uid 0); 24 Nov 2000 03:15:38 -0000
Received: from p3ee21638.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.56)
  by mail.gmx.net (mail04) with SMTP; 24 Nov 2000 03:15:38 -0000
Received: (from sittig@localhost)
	by speedy.gsinet (8.8.8/8.8.8) id AAA20118
	for FreeBSD-gnats-submit@freebsd.org; Fri, 24 Nov 2000 00:39:14 +0100
Message-Id: <20001124003914.X27042@speedy.gsinet>
Date: Fri, 24 Nov 2000 00:39:14 +0100
From: Gerhard Sittig <Gerhard.Sittig@gmx.net>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: conf/23063: [PATCH] for static ARP tables in rc.network
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         23063
>Category:       conf
>Synopsis:       [PATCH] for static ARP tables in rc.network
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 23 19:20:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Gerhard Sittig
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
in private
>Environment:

Wherever somebody is paranoid enough to not want self learned -
and thus changing - ARP tables (i.e. avoid to have "visitors"
participate in your network communication, to join in new or
redirect - "suck in" - other machines' packets).

>Description:

The patch below takes two steps which come in handy in
restrictive (as well as most likely small and static) setups:
- it turns off ARP functionality on specified interfaces to not
  have your IP stack accept ARP packets possibly sent to you by
  strangers
- it sets up your ARP table with fixed entries, otherwise one
  couldn't do IP communication with the hosts you know about and
  want to talk to

>How-To-Repeat:

not of relevance, there's no problem here :)

>Fix:

Apply the patch and throw the rc.conf switches (turn on the
_enable switch and fill in the _interfaces and _table)!

Of course these fix entries should get applied on *all* the
machines in the network segment in question, so none of them can
be fooled.  And I'm aware of the fact that, say, routers usually
won't do (dynamic) ARP on one interface while they do on another.
That's what the interface list is for.  Deleting some already
known ARP entries (we're talking a few seconds after bootup and
interface configuration here) won't really hurt.  They will be
learned again quickly.  Maybe one should not SHOUT this loud when
there's no interface or table -- but I failed to come up with an
example where this would be of real use to leave one of them
blank.

The most important "problem" I had with this patch is to identify
a spot in rc.network where all the relevant interfaces are up but
almost no traffic could have passed through them yet.  Feel free
to shove the code block to a more appropriate place.

And of course the standard disclaimer applies:  I'm not a native
speaker nor are troff nor mdoc my native languages. :)  Hopefully
the patch will make its way unmangled now that I decided to
shar(1) it.

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	script.diff
#	config.diff
#	manpage.diff
#
echo x - script.diff
sed 's/^X//' >script.diff << 'END-of-script.diff'
XIndex: etc/rc.network
X===================================================================
XRCS file: /CVSREPO/fbsd/src/etc/rc.network,v
Xretrieving revision 1.88
Xdiff -u -5 -r1.88 rc.network
X--- etc/rc.network	2000/10/12 11:25:57	1.88
X+++ etc/rc.network	2000/11/23 22:54:34
X@@ -233,10 +233,51 @@
X 		echo -n "Starting ppp as \"${ppp_user}\""
X 		su -m ${ppp_user} -c "exec ${ppp_command}"
X 		;;
X 	esac
X 
X+	# hardcode ARP table when asked to do so
X+	#
X+	case ${static_arp_enable} in
X+	[Yy][Ee][Ss])
X+		echo -n ' static arp'
X+
X+		# don't bother if we fall through,
X+		# the loops below just become empty
X+		[ -z "${static_arp_interfaces}" ] && echo -n ' NO INTERFACES'
X+		[ -z "${static_arp_table}"      ] && echo -n ' NO TABLE'
X+
X+		# clear ARP functionality on all the interfaces
X+		for IF in $static_arp_interfaces; do
X+			/sbin/ifconfig $IF -arp
X+		done
X+		unset IF
X+
X+		# delete (previously) "ARP'ed" IPs from the table
X+		ADDRLIST=$( /usr/sbin/arp -an | /usr/bin/sed 's/^[^(]*(//; s/).*$//' )
X+		for ADDR in $ADDRLIST; do
X+			/usr/sbin/arp -d $ADDR
X+		done
X+		unset ADDRLIST ADDR
X+
X+		# fill in the new entries
X+		# (for a starter or as the whole table)
X+		for PAIR in $static_arp_table; do
X+			/usr/sbin/arp -s $( echo $PAIR | tr '=' ' ' )
X+		done
X+		unset PAIR
X+
X+		# maybe: show the current table
X+		case ${static_arp_verbose} in
X+		[Yy][Ee][Ss])
X+			echo ' arp table dump:'
X+			/usr/sbin/arp -an
X+			;;
X+		esac
X+		;;
X+	esac
X+
X 	# Initialize IP filtering using ipfw
X 	#
X 	if /sbin/ipfw -q flush > /dev/null 2>&1; then
X 		firewall_in_kernel=1
X 	else
END-of-script.diff
echo x - config.diff
sed 's/^X//' >config.diff << 'END-of-config.diff'
XIndex: etc/defaults/rc.conf
X===================================================================
XRCS file: /CVSREPO/fbsd/src/etc/defaults/rc.conf,v
Xretrieving revision 1.83
Xdiff -u -5 -r1.83 rc.conf
X--- etc/defaults/rc.conf	2000/10/29 19:59:04	1.83
X+++ etc/defaults/rc.conf	2000/11/23 21:52:55
X@@ -188,10 +188,18 @@
X ipxrouted_enable="NO"		# Set to YES to run the IPX routing daemon.
X ipxrouted_flags=""		# Flags for IPX routing daemon.
X arpproxy_all=""			# replaces obsolete kernel option ARP_PROXYALL.
X forward_sourceroute="NO"	# do source routing (only if gateway_enable is set to "YES")
X accept_sourceroute="NO"		# accept source routed packets to us
X+static_arp_enable="NO"		# hardcode ARP table?
X+static_arp_verbose="NO"		# dump ARP table after setting up?
X+static_arp_interfaces="xl0"	# turn ARP off on these interfaces
X+static_arp_table="\
X+	192.168.21.57=00:60:08:xx:xx:xx \
X+	192.168.21.58=00:01:02:xx:xx:xx \
X+	192.168.21.59=00:50:DA:xx:xx:xx \
X+	"
X 
X ### ATM interface options: ###
X atm_enable="NO"			# Configure ATM interfaces (or NO).
X #atm_netif_hea0="atm 1"		# Network interfaces for physical interface.
X #atm_sigmgr_hea0="uni31"	# Signalling manager for physical interface.
END-of-config.diff
echo x - manpage.diff
sed 's/^X//' >manpage.diff << 'END-of-manpage.diff'
XIndex: share/man/man5/rc.conf.5
X===================================================================
XRCS file: /CVSREPO/fbsd/src/share/man/man5/rc.conf.5,v
Xretrieving revision 1.84
Xdiff -u -5 -r1.84 rc.conf.5
X--- share/man/man5/rc.conf.5	2000/10/28 13:35:30	1.84
X+++ share/man/man5/rc.conf.5	2000/11/23 22:29:26
X@@ -563,10 +563,50 @@
X .Pa /etc/ppp/ppp.conf .
X .It Ar ppp_user
X (str) The name of the user under which ppp should be started. By
X default, ppp is started as
X .Ar root .
X+.\" ----- static arp table --------------------------------------
X+.It Ar static_arp_enable
X+(bool) Set to
X+.Ar NO
X+by default.
X+Setting this to
X+.Ar YES
X+will turn off ARP for every interface specified in
X+.Ar static_arp_interfaces
X+and will put static ARP entries from the
X+.Ar static_arp_table
X+variable into the ARP table.
X+.It Ar static_arp_verbose
X+(bool) Set to
X+.Ar NO
X+by default.
X+Setting this to
X+.Ar YES
X+will dump the current ARP table
X+after filling it with static entries.
X+This requires the
X+.Ar static_arp_enable
X+setting to be turned on.
X+.It Ar static_arp_interfaces
X+(str) Empty by default.
X+Holds a white space separated list of interfaces
X+on which ARP learning will be turned off.
X+Depends on the
X+.Ar static_arp_enable
X+setting.
X+.It Ar static_arp_table
X+(str) Depends on the
X+.Ar static_arp_enable
X+setting and
X+holds a white space separated list of elements
X+each of the form IP address, equals sign, MAC address.
X+For instance to hardcode two ARP table entries put
X+.Qq Ar "192.168.21.57=00:60:08:01:02:03 192.168.21.58=00:01:02:04:05:06"
X+into this variable.
X+.\" ----- end of static arp -------------------------------------
X .It Ar rc_conf_files
X (str) This option is used to specify a list of files that will override
X the settings in
X .Pa /etc/defaults/rc.conf .
X The files will be read in the order in which they are specified and should
END-of-manpage.diff
exit


virtually yours   82D1 9B9C 01DC 4FB4 D7B4  61BE 3F49 4F77 72DE DA76
Gerhard Sittig   true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
-- 
     If you don't understand or are scared by any of the above
             ask your parents or an adult to help you.

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message