Subject: rc.d script for adding static ARP entries
To: None <tech-security@netbsd.org, tech-pkg@netbsd.org>
From: Geert Hendrickx <geert.hendrickx@ua.ac.be>
List: tech-security
Date: 06/27/2005 22:39:01
--r5Pyd7+fXNt84Ff3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I have created an rc.d script for adding static ARP entries to the kernel
ARP table at boottime, to help prevent ARP based sniffing and man-in-the-
middle attacks.
The user can gather a list of the hardware adress (MAC adress) of some or
all nodes in the subnet, and list them in the file /etc/ethers. These ARP
entries will then _statically_ be added to the kernel ARP table, so no
attacker can externally modify them. The format of this file is very easy:
hostname ether_addr
e.g.:
192.16.1.20 00:12:bf:02:b4:ff
See arp(8) for details.
To tech-pkg:
Since other UNIXen (I checked Linux and Solaris) also have "arp -f", with
the same file format, it may be interesting to also create a pkgsrc package
for this script?
GH
--
:wq
--r5Pyd7+fXNt84Ff3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=arptable
#!/bin/sh
#
# $NetBSD$
#
# PROVIDE: arptable
# BEFORE: NETWORKING
. /etc/rc.subr
name="arptable"
rcvar="arptable"
command="/usr/sbin/arp"
conf_file="/etc/ethers"
required_files="${conf_file}"
command_args="-f ${conf_file}"
stop_cmd=":"
load_rc_config $name
run_rc_command "$1"
--r5Pyd7+fXNt84Ff3--