Date: Sun, 26 Nov 2000 08:55:14 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@FreeBSD.ORG Subject: Re: static ARP tables Message-ID: <20001126085514.H27042@speedy.gsinet> In-Reply-To: <200011252212.PAA26585@faith.cs.utah.edu>; from dga@pobox.com on Sat, Nov 25, 2000 at 03:12:56PM -0700 References: <Pine.NEB.4.21.0011241617180.25280-100000@phalse.2600.com> <200011252212.PAA26585@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 25, 2000 at 15:12 -0700, David G. Andersen wrote:
>
> You have a point, of course; this shouldn't be plugged as "the
> perfect solution for ip-based authentication," because it does
> have many holes of which a user must be aware, but it's a very
> nice thing to have around, and I'd love to see it controllable
> via rc.conf.
OK, I took this point I wasn't quite aware before. Of course
every security measure does not stand alone but every single one
contributes to raising the bar for the bad guys and avoid the
legitimate users from doing harm to themselves as well as others.
> One thing that would be nice from my perspective would be the
> ability to specify an external file that contains the static
> ARP entries, e.g.
>
> static_arp_table="/etc/arpfile"
>
> (The same kind of functionality currently provided by
> rc.firewall).
You might want to followup to the PR (to have it in the audit
trail) with a patch that makes the table fill in loop read
something like
case ${static_arp_table} in
/*)
# file name specified
while read ADDR; do
...
done < ${static_arp_table}
;;
[1-9]*)
# starts with an IP address
for ADDR in ${static_arp_table}; do
...
done
;;
esac
Alternatively you could try to use the same body for every branch
by doing some magic like
(
case ${static_arp_table} in
/*)
# file name specified
cat ${static_arp_table}
;;
[1-9]*)
# starts with an IP address
echo ${static_arp_table} | tr ' ' '\n'
;;
esac
) | while read ADDR; do ... done
depending on what kind of notation you consider least painful. :)
Beware that this is a skeleton and still needs some cleanup
(remove comment lines, drop empty lines, squeeze redundant
whitespaces, etc). Plus the static ARP table could be done the
way ifconfig (with network_interfaces and inconfig_$IF) and
static routes are done: to have an index list and wade through
the "indexed" variables of elements.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001126085514.H27042>