Strange behavior with arp permanent entries

Vladimir Kapustin msgs_for_me at mail.ru
Wed Feb 14 15:22:54 UTC 2007 

>Hello, Guys!
>
>I'm trying to restrict some LAN access by arp permanent entries. But it
>didn't work or it didn't work as I realize it. For example I have the
>following perm entries:
>
>
>user1: (82.199.215.195) at 00:0f:ea:a4:60:c5 on vlan804 permanent [vlan]
>user2: (82.199.215.196) at 00:13:8f:b1:68:4b on vlan804 permanent [vlan]
>
>
>And from what I realize if the user1 attempts to use user2's IP address.
>The Router should block all packets which coming from wrong physical
>address. But actually that didn't happen and user1 can use user2's IP
>address without any problems.
>
>
>Maybe someone of you will advice me to use ipfw arp rules but when I turn
>net.link.ether.ipfw ON I'm getting very low performance from the router.
>We talking about 800mbps and 600k packets per second, and many users which
>means many ipfw arp rules.
>
>
>System1 info:
>FreeBSD 6.2-RELEASE
>Intel(R) Xeon(R) CPU 5130 @ 2.00GHz
>1G ram
>
>System2 info:
>
>......................................

man arp :
...................
     -s hostname ether_addr
             Create an ARP entry for the host called hostname with the Ether-
             net address ether_addr.  The Ethernet address is given as six hex
             bytes separated by colons.  The entry will be permanent unless
             the word temp is given in the command.  If the word pub is given,
             the entry will be ``published''; i.e., this system will act as an
             ARP server, responding to requests for hostname even though the
             host address is not its own.  In this case the ether_addr can be
             given as auto in which case the interfaces on this host will be
             examined, and if one of them is found to occupy the same subnet,
             its Ethernet address will be used.  If the only keyword is also
             specified, this will create a ``published (proxy only)'' entry.
             This type of entry is created automatically if arp detects that a
             routing table entry for hostname already exists.

     -S hostname ether_addr
             Is just like -s except any existing ARP entry for this host will
             be deleted first.
.......................

I have:
root at router1# arp -a | wc -l
     927
root at router1# arp -a | less
? (10.3.13.5) at 00:e0:4d:01:cb:09 on vlan313 permanent published [vlan]
? (10.3.13.7) at 00:0d:61:1c:b0:b6 on vlan313 permanent published [vlan]
? (10.3.13.14) at 00:11:d8:e8:db:0a on vlan313 permanent published [vlan]
.........................

with the rules:
arp -S IP mac pub

More information about the freebsd-net mailing list