Re: Advanced Security Question

From: Abdullah Ramazanoglu (abdullah_at_ramazanoglu.tr)
Date: 08/13/04

  • Next message: Dale Dellutri: "Re: Advanced Security Question" 
    Date: Fri, 13 Aug 2004 23:41:48 +0300

    Abdullah Ramazanoglu dedi ki:
    > Hammer dedi ki:

     --8<--

    > The trick is, how to implement an arp table (on server) so that it will
    > advertise its own mac address e.g. for an arp query of client
    > 192.168.100.100 and then use the real mac address of that client when it
    > comes to forward the processed packet: In the former case your server's
    > arp table should be associating 192.168.100.100 (destination client) with
    > its own mac address, but in the latter case the same arp table should be
    > associating 192.168.100.100 with the destination client's real mac
    > address. Unless you can find a solution to this, I guess this suggestion
    > of mine is no more than a fantasy.

    Eureka! (well, sort of :)
    It is the "-i" (interface) option to arp command. Use two NICs on the
    routing server, one to proxy-arp, associating client IP addresses with the
    mac address of this NIC, which will receive incoming traffic from clients.
    The other NIC is for outgoing traffic to clients, with arp table entries
    associating each client with their real mac addresses. If you use a 3rd
    NIC for internet / DMZ etc, then a single default route won't suffice, and
    you would also need to setup a static -network- route for the clients.

    Does "arp -i" provide for the same -client- IP address appear twice in the
    arp table, based on different interfaces? I think it should. Worth a try. 

    -- 
Abdullah        | aramazan@ |
Ramazanoglu     | myrealbox |
________________| D-O-T cöm |
  • Next message: Dale Dellutri: "Re: Advanced Security Question"

    Relevant Pages

    • [Full-Disclosure] follow up question...
      ... I caught this and got thinking...I don't know near enough about wireless ... What happens if two AP's with the same IP and MAC attempt to get on the same ... Subject: Static ARP Replies? ... > virtually done between the client and the access point). ...
      (Full-Disclosure)
    • Re: floppy
      ... packs identify the machine by the MAC address. ... NICs s to manually change the MAC address of the new NIC to match the old. ... This has to be done for each client add pack. ...
      (microsoft.public.windows.server.sbs)
    • Re: Retrieving the MAC address of remote machine?
      ... client) first ping the client then check ARP -a. ... If there is a hop between ... you and the client you have no option to see the MAC address. ...
      (microsoft.public.windows.server.networking)
    • [Full-Disclosure] Static ARP Replies?
      ... built-in ARP cache poisoning prevention. ... virtually done between the client and the access point). ... broadcasting or client to client (mac address to mac address) ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Static ARP Replies?
      ... ARPs nor does it prevent someone from responding with their own ARP ... but making it so that all communication is ... > virtually done between the client and the access point). ... > broadcasting or client to client (mac address to mac address) ...
      (Full-Disclosure)