Re: Static ARP table in Linux

From: Andrei Boros (andrix_at_fx.ro)
Date: 12/13/03

  • Next message: Felipe Franciosi: "Re: Static ARP table in Linux"
    Date: Sat, 13 Dec 2003 18:02:32 +0200
    To: Gil Disatnik <gil@disatnik.com>
    
    

    Gil Disatnik wrote:
    >

    Hi,

    I still run Slack 7 on a 2.2.25 kernel, thus having no way of firewall
    filtering based on source MAC. (ipchains)
    So I came up with the following :

    Using ip from iproute2 package I flush the arp table and then set up
    entries for each machine on my network with access to the server to be a
    static entry. IPs are given out by a dhcp server and anyone putting a
    routed ip by hand won't get through (ofcourse mac spoofing excluded, but
    mine aren't that advanced as well).

    ip neigh add a.b.c.d lladdr xx:xx:xx:xx:xx:xx nud permanent

    According to ip command reference :
    permanent = the neighbour entry is valid forever and can be only be
    removed administratively.

    Other machines simply won't be able to talk to your server if their MAC
    does not match.

    It is advisable to change all entries in the ARP table to nud noarp
    before you flush the table, otherwise some entries won't be updated
    properly.

    Your server will advertise it's own MAC, unknown IPs will be able to
    contact your server,
    but the firewall won't let them through.
    Known IPs with bogus MAC won't be able to talk to you.

    On 2.4+ you simply use iptables with source IP and MAC filters. Correct
    IP and MAC and your's surfing.

    > I am trying to have a firewall running with a static arp table for it's
    > local network (I know I know... MAC can easily be changed. The users behind
    > this firewall are not that advanced, all I want is that people will not be
    > able to simply plug in a machine and get net access from it...)
    > Back to business - when bringing up an interface with -arp, it's not only
    > preventing the machine from adding new MAC entries to it's arp cache, but
    > it's also stopping it from advertising it's very own MAC address.
    >
    > Is there a way to prevent the arp cache from being filled yet to still be
    > able to advertise my own MAC?
    > I thought about simply forcing the MAC addresses I know into the cache
    > (perm) and to also add those I don't know with a bogus MAC, that's a really
    > ugly workaround though.
    >
    I don't see why it is an ugly workaround (on 2.2 i think it's the only
    way to protect against ip spoofing).
    Besides, if the arp cache don't get filled, what then? You still have to
    add some entries by hand.

    > Regards
    >
    > Gil Disatnik
    > UNIX system administrator.
    >
    > GibsonLP@EFnet
    > http://gil.disatnik.com
    >
    > _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
    > apt-get install slackware
    The only way to fly!

    > --------------------------------------------------------------------
    > "Windows NT has detected mouse movement, you MUST restart
    > your computer before the new settings will take effect, [ OK ]"
    > --------------------------------------------------------------------
    > Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating
    > system, written for a 4 bit processor by a 2 bit company which can
    > not stand 1 bit of competition.
    > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

    There's so much truth in what you say.

    -- 
    Choose not to choose! Let Micro$oft do it for you!
    Or... the Penguin shall set you free...
    ------
    Andrix
    E-mail: mailto:andrix@fx.ro
    Web   : http://members.tripod.com/andrei_b
    

  • Next message: Felipe Franciosi: "Re: Static ARP table in Linux"

    Relevant Pages