Re: [fw-wiz] Link level security with static arp tables

From: Martin A. Brown (mabrown-firewall-wizards_at_securepipe.com)
Date: 10/14/03

  • Next message: Damian Gerow: "[fw-wiz] Spamming, 'hidden' mail server"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 13 Oct 2003 17:21:07 -0500 (CDT)
    
    

    Dear Debian User,

    You didn't specify Linux in your post, but judging from your question and
    your handle, I feel safe in assuming that your question is about Linux.
    The tools I describe below are only available under kernel 2.2.20+ and
    2.4.18+ systems.

     : I could disable arp on eht0 and use static arp tables in the gw, but
     : that would mean that the gateway won't answer any arp queries, hence
     : the clients will not be able to find it's MAC. Setting up static arp
     : tables in clients is not an option.

    Have you heard of "ip arp"?

      http://www.ssi.bg/~ja/#iparp
      http://www.ssi.bg/~ja/iparp.txt

    Julian's kernel and iproute2 patch provide support for ARP filtering.

     : I could use netfilter MAC matching support in the kernel, but that
     : would mean I have to add 50 rules to the ruleset adding considerable
     : overhead. Moreover, it is a link level problem that sould be solved in
     : the same level, so netfilter is not an attractive option. Please
     : comment if I'm wrong.

    I don't see how 50 netfilter rules would cause much overhead. You could
    create a file with your 50 desired MAC addresses (harvested with a bit of
    "arp -n") and write a generic script which calls all of the commands to
    allow only these MAC addresses.

    Even so, the clever user can alter the MAC address on many/most ethernet
    cards today:

      http://linux-ip.net/html/tools-ip-link.html#tools-ip-link-set-address

    I imagine that this is possible on other operating systems as well.
    Naturally, your users may not be so sophisticated. Nonetheless, you
    should be able to limit traffic to the expected set of hosts only by
    combining a strong switch configuration and MAC address limiting on your
    gateway.

    Best of luck,

    -Martin

    -- 
    Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Damian Gerow: "[fw-wiz] Spamming, 'hidden' mail server"

    Relevant Pages

    • Re: [SLE] ethereal
      ... ARP is "address resolution protocol". ... ethernet connections are between hardware or MAC addresses, ... address of your ethernet card -- and obviously (I hope it's obvious ... most often consisting only of your gateway. ...
      (SuSE)
    • Re: Pure IP & ARP broadcasts
      ... It actually communicates via the MAC address of the Nics (aka Layer2 ... what the ARP request does. ... A host has a packet to send, it has the IP# and nothing else. ... But if the owner of the IP# is not on that segment then the Router replies ...
      (microsoft.public.windows.server.networking)
    • Re: All I have is the MAC address which are on our LAN so no routers are involved.
      ... echo Clearing ARP Cache ... an IP on MAC How to use TCP/IP without installing a NIC. ... How to Setup Windows, Network, VPN & Remote Access on = ... Anyway now I have the list of machines with MAC and IP, ...
      (microsoft.public.windowsxp.network_web)
    • Re: [SLE] ethereal
      ... > to directly actually need to know the MAC ... > will respond with an ARP Reply giving your MAC address. ... > most often consisting only of your gateway. ... > minute of the day the gateway knows what ethernet card is using those ...
      (SuSE)
    • Re: Re: All I have is the MAC address which are on our LAN so no routers are involved.
      ... addresses and then check the arp cache with "arp -a". ... an IP on MAC How to use TCP/IP without installing a NIC. ... How to Setup Windows, Network, VPN & Remote Access on = ... Anyway now I have the list of machines with MAC and IP, ...
      (microsoft.public.windowsxp.network_web)