Re: Static ARP table in Linux
From: Andrei Boros (andrix_at_fx.ro)
Date: 12/13/03
- Previous message: Chuck Wolber: "Re: Static ARP table in Linux"
- In reply to: Gil Disatnik: "Static ARP table in Linux"
- Next in thread: Felipe Franciosi: "Re: Static ARP table in Linux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 13 Dec 2003 18:02:32 +0200 To: Gil Disatnik <gil@disatnik.com>
Gil Disatnik wrote:
>
Hi,
I still run Slack 7 on a 2.2.25 kernel, thus having no way of firewall
filtering based on source MAC. (ipchains)
So I came up with the following :
Using ip from iproute2 package I flush the arp table and then set up
entries for each machine on my network with access to the server to be a
static entry. IPs are given out by a dhcp server and anyone putting a
routed ip by hand won't get through (ofcourse mac spoofing excluded, but
mine aren't that advanced as well).
ip neigh add a.b.c.d lladdr xx:xx:xx:xx:xx:xx nud permanent
According to ip command reference :
permanent = the neighbour entry is valid forever and can be only be
removed administratively.
Other machines simply won't be able to talk to your server if their MAC
does not match.
It is advisable to change all entries in the ARP table to nud noarp
before you flush the table, otherwise some entries won't be updated
properly.
Your server will advertise it's own MAC, unknown IPs will be able to
contact your server,
but the firewall won't let them through.
Known IPs with bogus MAC won't be able to talk to you.
On 2.4+ you simply use iptables with source IP and MAC filters. Correct
IP and MAC and your's surfing.
> I am trying to have a firewall running with a static arp table for it's
> local network (I know I know... MAC can easily be changed. The users behind
> this firewall are not that advanced, all I want is that people will not be
> able to simply plug in a machine and get net access from it...)
> Back to business - when bringing up an interface with -arp, it's not only
> preventing the machine from adding new MAC entries to it's arp cache, but
> it's also stopping it from advertising it's very own MAC address.
>
> Is there a way to prevent the arp cache from being filled yet to still be
> able to advertise my own MAC?
> I thought about simply forcing the MAC addresses I know into the cache
> (perm) and to also add those I don't know with a bogus MAC, that's a really
> ugly workaround though.
>
I don't see why it is an ugly workaround (on 2.2 i think it's the only
way to protect against ip spoofing).
Besides, if the arp cache don't get filled, what then? You still have to
add some entries by hand.
> Regards
>
> Gil Disatnik
> UNIX system administrator.
>
> GibsonLP@EFnet
> http://gil.disatnik.com
>
> _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> apt-get install slackware
The only way to fly!
> --------------------------------------------------------------------
> "Windows NT has detected mouse movement, you MUST restart
> your computer before the new settings will take effect, [ OK ]"
> --------------------------------------------------------------------
> Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating
> system, written for a 4 bit processor by a 2 bit company which can
> not stand 1 bit of competition.
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
There's so much truth in what you say.
-- Choose not to choose! Let Micro$oft do it for you! Or... the Penguin shall set you free... ------ Andrix E-mail: mailto:andrix@fx.ro Web : http://members.tripod.com/andrei_b
- Previous message: Chuck Wolber: "Re: Static ARP table in Linux"
- In reply to: Gil Disatnik: "Static ARP table in Linux"
- Next in thread: Felipe Franciosi: "Re: Static ARP table in Linux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
