Firewall Wizards mailing list archives

RE: Static ARP firewall advice

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 12 Apr 2004 10:12:25 -0400

I'm not sure why you'd want a packet filter to manage your ARP table,
but I think you can get what you want.

For static ARP tables, you can use `arp -s [ip addr] [mac addr] perm
pub`  (Using 'pub' allows pf to proxy ARP for that address.)

You can also use bridge and brconfig to filter by MAC address.  You need
to create a bridge from one interface to the other:

echo "add ne0 add ne1 up" > /etc/bridgename.bridge0

Then create a rule file for brconfig to use.  They can be in conjunction
with pf rules on the same box:

pass out on ne1 src 00:4f:4e:00:1c:32


If you want the ability to replace source IP address with source MAC
address, you'll probably need to look at iptables.  If I'm not mistaken,
MAC filtering support is a kernel compile-time option, but it is there.

PaulM

-----Original Message-----
To summarize: is there an easy way to maintain static ARP 
entries using
pf on OBSD 3.2?   While the current firewall is OBSD, I am not married
to this configuration - if there is an open source firewall 
product that will allow me to accomplish this easier, then I 
will recommend that to the admin.

Thanks in advance for your time.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Static ARP firewall advice Greg Dickinson (Apr 08)
- RE: Static ARP firewall advice Josh Welch (Apr 10)
- Re: Static ARP firewall advice Chuck Swiger (Apr 10)
- <Possible follow-ups>
- Re: Static ARP firewall advice Greg Dickinson (Apr 10)
- RE: Static ARP firewall advice Melson, Paul (Apr 16)