Possible (or possibly painful) workaround for FreeBSD-SA-03:14.arp
From: Michael Sierchio (kudzu_at_tenebras.com)
Date: 09/24/03
- Previous message: Jacques A. Vidrine: "Re: OpenSSH: multiple vulnerabilities in the new PAM code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 24 Sep 2003 08:56:13 -0700 To: security@freebsd.org
Of course you should patch/upgrade, etc. A stopgap measure
could be to use static ARP for a segment. I have done this
for a long time with wireless hosts, since I'm in an urban
environment with many visible nodes, some in autos, and
ARP cache poisoning is a well-known DoS against wireless.
You may find it extremely painful and less-than-useful to
have static IP addrs, etc. for hosts.
Here's a snippet of /usr/local/etc/rc.d/20-statarp.sh from
my FreeBSD host (192.168.1.1) serving as a wireless router
#! /bin/sh
PATH=/usr/sbin:/sbin
ifconfig wi0 -arp
arp -d -a 2>&1 > /dev/null
# wireless NICs
arp -s 192.168.1.1 00:02:2d:0e:00:40 2>&1 > /dev/null
arp -s 192.168.1.129 00:30:ab:14:11:46 2>&1 > /dev/null
arp -s 192.168.1.130 00:30:ab:14:11:f6 2>&1 > /dev/null
###$# many entries deleted ...
arp -s 192.168.1.195 00:30:ab:14:0f:89 2>&1 > /dev/null
# end
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Jacques A. Vidrine: "Re: OpenSSH: multiple vulnerabilities in the new PAM code"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
