|
||||||||
On Mon, Sep 8, 2008 at 6:16 PM, Mohammed <m dot ismael at gmail dot com> wrote: > When you install m0n0wall on a LAN that you don't have access to PCs > > and you cannot limit software installation on these Computers. > > you need the ability to have static ARP table on the m0n0wall. > Not really. The fact that you don't have access to the PCs isn't all that relevant to having static ARP on the firewall. Sure you can't control what people are going to run, but this is of very minimal value and is a major headache to maintain. If someone wants to ARP poison that network, this won't stop anyone from poisoning the client PCs, and you aren't going to be able to maintain static ARP on every PC. Hence you can't truly deploy static ARP, and given the effort required for a partial, ineffective solution it just isn't worth it. You can do as David suggested, or load from a file as described in the ARP man page. http://www.freebsd.org/cgi/man.cgi?query=arp&apropos=0&sektion=0&manpath=FreeBSD+4.11-RELEASE&format=html But the only way to get that file onto m0n0wall is to create your own image containing the file. The only way to change that file that will persist across reboots is to modify an image and use the firmware update to load it, which requires a reboot. The proper way to protect against ARP poisoning is with controls on your switches preventing it from occurring. Static ARP is impractical and ineffective in this circumstance (and most others for that matter). -Chris |