Post by Genera » Sun, 12 Aug 2001 05:22:31

Hello all,

First Q:paranoid little me has a habit of wanting to lock default gateway hw
address (MAC) in my arp cache. So I run arp -s to create a static entry to
my default gateway. Should last until next boot but that's OK since who has
to boot a unix? ;-P

And here is the problem: after a while (I've not really noticed this until
recently), 'PERM' goes away and I have another MAC address to the default
gateway in my arp cahce. I've also seen arpwatch (run in foreground) log
that the default gateway had changed IP (since last run).

My problem is that I do *not* want *anything* to be able to update the
static entry in the cache for security reasons. I'm on a cable modem and my
Liunx RH 7.x acts as firewall. I have experienced promiscuous ARP replies
(as broadcasts) and don't want anyone/-thing to be able to manipulate me in
any way. I told you I'm paranoid! ;-D If the default gateway changes MAC,
*I* want to update my cache! And I doubt that there are two MACs servicing
the same IP in my case.

Forcing down a new hw address to the default gateway is half the way to
steal my traffic. At least it takes care of all my outbound traffic.

Now, I've looked at the source code in net/ipv4 and I can't see that an
arp_update should be able to overwrite static ATF_PERM entries in the cache,
but for some reason something like this happens. Neither should the
arp_force_expire be able to remove the static entry since: a) I rarely have
more than perhaps four or five entries in the cache and b) it is a static
(ATF_PERM) entry and I somehow doubt that the entry lookup fails and causes
a secondary (dup) entry (and somehow cleans up the old static entry)..

Mind you, the code I've been looking at is Linux, not RH!

I can't find anything (obvious) in ip_input or other routines that should
cause this! Please tell me I'm seeing things that don't exist and that the
logic works and I'm protected!

Second Q is: can I protect myslef in other ways from arp cache
manipulations. Basically, I don't want the cache to be updated unless I've
sent a query first! ipchains don't help with this but I'd love to make
modifications to arp.c but that's not really the way it should be solved, is
it? ;-D

Per a.k.a. The Paranoid Icekube

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =----- - The #1 Newsgroup Service in the World!
-----==  Over 80,000 Newsgroups - 16 Different Servers! =-----


1. arp -a shows only one address, what version of arp?

As the subject says, when i arp -a i get only one address, when i
cat /proc/net/arp there are lots of adresses.
Isn't arp getting it's info from there? do i have to upgrade my arp?
I don't know my current version of arp, but what version of arp should i get?  
Kernel version is 1.2.9 (recently upgraded :-)

Gr. Jeroen

2. Bad packets with term 2.3.5

3. arp question - "arp who-has" problem

4. Problem running aterm with KDE

5. Proxy arp (how to add an arp entry)

6. setlocale, where is it?

7. Seeing an ARP Causes an ARP Request?

8. How to make /var separate? (Re: Making / and /usr a single partition)

9. ARP optimizations/checks in arp.c

10. To ARP or not to arp ...

11. Proxy ARP grief, just can't get box to respond to ARP request

12. ARP: arp called for own IP address HELP

13. kernel: ARP: arp called for own IP address