Re: patch for arpwatch

Fri, 22 Feb 2019 00:51:51 -0800 

Hello Lukas,
looks like '-F' can be helpful if you have not so many hosts to ignore. Since '-F' is a part of command line, you need to include each host in command line, which looks not so accurate. Theoretically you can hit command line length limit and if you need to update blacklist you need to change /etc/defaults/arpwatch each time. My implementation of blacklist reads hosts addresses from file, here how it's look: 

zabbix-proxy:~$ ps -A -o start_time,start,cmd|grep arpwatch
03:27 03:27:56 grep arpwatch

 2017   Apr 03 /usr/sbin/arpwatch -i eth2 -f eth2.dat -B 
/etc/arpwatch.blacklist -u arpwatch -N -p
 2017   Apr 03 /usr/sbin/arpwatch -i eth0 -f eth0.dat -B 
/etc/arpwatch.blacklist -u arpwatch -N -p

zabbix-proxy:~$ wc -c /etc/arpwatch.blacklist
2726 /etc/arpwatch.blacklist
zabbix-proxy:~$ wc -l /etc/arpwatch.blacklist
227 /etc/arpwatch.blacklist

Thank you for your help, I will try to open a wishlist bug.


On 22/02/2019 02:38, Lukas Schwaighofer wrote:

Hi Ivan,

thanks for reaching out and working on improving arpwatch!

On Wed, 20 Feb 2019 13:38:38 +0300
Ivan <[email protected]> wrote:


I have a patch for arpwatch (it was done for arpwatch-2.1a15 2 years
ago). That patch add functionality to specify blacklist of IP
addresses. Option similar to -z was added, but for list of /32
addresses.

I asked Axel Beckert <[email protected]> how can I add patch for
arpwatch, but he haven't respond, so how can I contribute it?

Unfortunately arpwatch is no longer under active development.  Since
you've reached out to me (and Axel), I assume you're interested in
adding your patch specifically to the arpwatch package in Debian.  I'm
maintaining the package as part of the Debian Security Tools packaging
team (I've added our list to CC).

Based on your message, I believe what you're trying to achieve
(blocking a list of IP addresses) can be done with the `-F` option that
is present since Debian version 2.1a15-4.  `-F` allows setting a pcap
filter, which is pretty versatile way of hiding certain packages from
arpwatch altogether.  Please check if you can use `-F` instead of
adding a patch.

If you cannot use `-F`, the correct procedure is to open a wishlist bug
against the arpwatch package.  You can attach your patch to that bug.

Thanks & regards
Lukas

PS: I'm traveling over the weekend, so my responses may be a bit
delayed.


Ivan























					Reply via email to