[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Static arp table.
 Date:  Mon, 8 Sep 2008 19:37:27 -0400
On Mon, Sep 8, 2008 at 6:16 PM, Mohammed <m dot ismael at gmail dot com> wrote:
> When you install m0n0wall on a LAN that you don't have access to PCs
>
> and you cannot limit software installation on these Computers.
>
> you need the ability to have static ARP table on the m0n0wall.
>

Not really. The fact that you don't have access to the PCs isn't all
that relevant to having static ARP on the firewall. Sure you can't
control what people are going to run, but this is of very minimal
value and is a major headache to maintain.

If someone wants to ARP poison that network, this won't stop anyone
from poisoning the client PCs, and you aren't going to be able to
maintain static ARP on every PC. Hence you can't truly deploy static
ARP, and given the effort required for a partial, ineffective solution
it just isn't worth it.

You can do as David suggested, or load from a file as described in the
ARP man page.
http://www.freebsd.org/cgi/man.cgi?query=arp&apropos=0&sektion=0&manpath=FreeBSD+4.11-RELEASE&format=html

But the only way to get that file onto m0n0wall is to create your own
image containing the file. The only way to change that file that will
persist across reboots is to modify an image and use the firmware
update to load it, which requires a reboot.

The proper way to protect against ARP poisoning is with controls on
your switches preventing it from occurring. Static ARP is impractical
and ineffective in this circumstance (and most others for that
matter).

-Chris