RE: [fw-wiz] Static ARP firewall advice

From: Melson, Paul (
Date: 04/12/04

  • Next message: Laura Taylor: "RE: [fw-wiz] Looking for papers on protecting servers"
    To: "Greg Dickinson" <>, <>
    Date: Mon, 12 Apr 2004 10:12:25 -0400

    I'm not sure why you'd want a packet filter to manage your ARP table,
    but I think you can get what you want.

    For static ARP tables, you can use `arp -s [ip addr] [mac addr] perm
    pub` (Using 'pub' allows pf to proxy ARP for that address.)

    You can also use bridge and brconfig to filter by MAC address. You need
    to create a bridge from one interface to the other:

    echo "add ne0 add ne1 up" > /etc/bridgename.bridge0

    Then create a rule file for brconfig to use. They can be in conjunction
    with pf rules on the same box:

    pass out on ne1 src 00:4f:4e:00:1c:32

    If you want the ability to replace source IP address with source MAC
    address, you'll probably need to look at iptables. If I'm not mistaken,
    MAC filtering support is a kernel compile-time option, but it is there.


    > -----Original Message-----
    > To summarize: is there an easy way to maintain static ARP
    > entries using
    > pf on OBSD 3.2? While the current firewall is OBSD, I am not married
    > to this configuration - if there is an open source firewall
    > product that will allow me to accomplish this easier, then I
    > will recommend that to the admin.
    > Thanks in advance for your time.
    firewall-wizards mailing list

  • Next message: Laura Taylor: "RE: [fw-wiz] Looking for papers on protecting servers"

    Relevant Pages

    • Re: Arp Attacks
      ... >>on Linux 2.4 You can use iptables, which can filter by MAC adresses. ... > responds to ARP requests). ...
    • Re: Security Appliance With 12 Network Segments
      ... has the arp -s command for adding your own static entries. ... firewall anyway, so it's a handy place to identify the MAC. ... MAC address isn't the best solution for that. ... relying on MAC addresses will only work for networks directly attached to your firewall - as soon as you pass a router you lose the host's MAC address. ...
    • Re: Filtering Mac Addresses
      ... > Is there any way in ISA Server 2004 to filter on Mac addresses, ... > requesting client that is not on a white list of Mac addresses cannot ... ISA has no built In capability to filter via MAC addresses ... Have a look at google and search for "bridge firewall" ...
    • Re: [fw-wiz] MAC blocking
      ... > If a new MAC is seen the firewall it should not allow that MAC to pass ... > One could script a diff on files containing arp entries and then arp ... Paul D. Robertson "My statements in this message are personal opinions ...
    • Re: D-Link 604 Router
      ... > I can filter outbound connections using URL filtering using something ... > firewall software or hardware and no router, ...