RE: [fw-wiz] Static ARP firewall advice

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 04/12/04

  • Next message: Laura Taylor: "RE: [fw-wiz] Looking for papers on protecting servers"
    To: "Greg Dickinson" <gdickinson@indiansprings.org>, <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 12 Apr 2004 10:12:25 -0400
    
    

    I'm not sure why you'd want a packet filter to manage your ARP table,
    but I think you can get what you want.

    For static ARP tables, you can use `arp -s [ip addr] [mac addr] perm
    pub` (Using 'pub' allows pf to proxy ARP for that address.)

    You can also use bridge and brconfig to filter by MAC address. You need
    to create a bridge from one interface to the other:

    echo "add ne0 add ne1 up" > /etc/bridgename.bridge0

    Then create a rule file for brconfig to use. They can be in conjunction
    with pf rules on the same box:

    pass out on ne1 src 00:4f:4e:00:1c:32

    If you want the ability to replace source IP address with source MAC
    address, you'll probably need to look at iptables. If I'm not mistaken,
    MAC filtering support is a kernel compile-time option, but it is there.

    PaulM

    > -----Original Message-----
    > To summarize: is there an easy way to maintain static ARP
    > entries using
    > pf on OBSD 3.2? While the current firewall is OBSD, I am not married
    > to this configuration - if there is an open source firewall
    > product that will allow me to accomplish this easier, then I
    > will recommend that to the admin.
    >
    > Thanks in advance for your time.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Laura Taylor: "RE: [fw-wiz] Looking for papers on protecting servers"