Re: [fw-wiz] Static ARP firewall advice

From: Chuck Swiger (
Date: 04/09/04

  • Next message: Greg Dickinson: "Re: [fw-wiz] Static ARP firewall advice"
    To: Greg Dickinson <>
    Date: Fri, 09 Apr 2004 09:51:41 -0400

    Greg Dickinson wrote:
    [ ... ]
    > I am currently in the process of reloading the proxy server to get it
    > off RH9, but in the interim I was wondering if there is an
    > easy/recommended way to accomplish this: I had the idea of adding static
    > ARP entries in the firewall so that only the specified Layer 3 addresses
    > that match the specified Layer 2 addresses can get through the firewall.
    > However (as you can imagine) this is a nightmare to maintain, as well
    > as difficult for the local administrator to add static ARP entries (he
    > has to add the addresses to /etc/rc.local and reboot the firewall
    > everytime [yes, I know a reboot is not required...but it's simpler...
    > :-> ])

    On most systems, you should be adding IP-to-MAC mappings via /etc/ethers, and
    disabling ARP on that particular network interface. While you can accomplish
    what you've asked for and it will work to some extent, you'll discover that
    clever students can also change their MAC addresses, too.

    Better approaches be to switch to using authenticating proxy servers for
    traffic (ie, squid for HTTP/HTTPS), or to require students to use PPPoE in
    order to get a connection (which will use an authentication mechanism that's
    not trivial to spoof).

    firewall-wizards mailing list

  • Next message: Greg Dickinson: "Re: [fw-wiz] Static ARP firewall advice"