Firewall Wizards mailing list archives
RE: Static ARP firewall advice
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 12 Apr 2004 10:12:25 -0400
I'm not sure why you'd want a packet filter to manage your ARP table, but I think you can get what you want. For static ARP tables, you can use `arp -s [ip addr] [mac addr] perm pub` (Using 'pub' allows pf to proxy ARP for that address.) You can also use bridge and brconfig to filter by MAC address. You need to create a bridge from one interface to the other: echo "add ne0 add ne1 up" > /etc/bridgename.bridge0 Then create a rule file for brconfig to use. They can be in conjunction with pf rules on the same box: pass out on ne1 src 00:4f:4e:00:1c:32 If you want the ability to replace source IP address with source MAC address, you'll probably need to look at iptables. If I'm not mistaken, MAC filtering support is a kernel compile-time option, but it is there. PaulM
-----Original Message----- To summarize: is there an easy way to maintain static ARP entries using pf on OBSD 3.2? While the current firewall is OBSD, I am not married to this configuration - if there is an open source firewall product that will allow me to accomplish this easier, then I will recommend that to the admin. Thanks in advance for your time.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Static ARP firewall advice Greg Dickinson (Apr 08)
- RE: Static ARP firewall advice Josh Welch (Apr 10)
- Re: Static ARP firewall advice Chuck Swiger (Apr 10)
- <Possible follow-ups>
- Re: Static ARP firewall advice Greg Dickinson (Apr 10)
- RE: Static ARP firewall advice Melson, Paul (Apr 16)