Re: Proxy ARP, but network interface specific
Hi Stuart, > To disable proxy ARP per-interface, I think it would need to be > exported from the kernel via an ioctl and then exposed by an ifconfig > option (as is done with the option to disable ARP entirely per-interface). Yes, of course. This would be the easier task I think. The harder tasks are the changes in kernels routing / ARP-code (where to distinguish when to answer a ARP-Request and when not). > Another option is to have a daemon connect to the network via BPF and > answering ARP requests for you. This avoids the need for kernel changes. > One such daemon is "choparp". Very nice hint. At a first sight it seems that choparp would be one possible solution for my problem. Will have closer look to it. Thanks a lot, Hendrik -Original Message- From: Stuart Henderson [mailto:s...@spacehopper.org] Sent: Montag, 23. Januar 2012 18:37 To: Gerlach, Hendrik Cc: tech@openbsd.org Subject: Re: Proxy ARP, but network interface specific On 2012/01/23 17:42, Gerlach, Hendrik wrote: > I know the man page, but this doesn't help me. Normally Proxy ARP is used at a > router. But we have the need to use it at a transparent Firewall. Typically on OpenBSD (and I think all BSDs) transparent firewalls have been implemented by bridging rather than arp proxy. But I think this method is not quite what you want. To do what you're asking for, yes I think code changes are necessary. Best starting point in the kernel is probably /sys/netinet/if_ether.c. > > In opposite to Linux it seems to be impossible in OpenBSD to add > > proxy ARP entries only for a specific network interface (missing > > option for the ARP command) nor to disable proxy ARP at all for some > > interfaces (sysctl or ifconfig option). This is usual behaviour for BSD derived OS. To disable proxy ARP per-interface, I think it would need to be exported from the kernel via an ioctl and then exposed by an ifconfig option (as is done with the option to disable ARP entirely per-interface). Another option is to have a daemon connect to the network via BPF and answering ARP requests for you. This avoids the need for kernel changes. One such daemon is "choparp".
Re: Proxy ARP, but network interface specific
On 2012/01/23 17:42, Gerlach, Hendrik wrote: > I know the man page, but this doesn't help me. Normally Proxy ARP is used at a > router. But we have the need to use it at a transparent Firewall. Typically on OpenBSD (and I think all BSDs) transparent firewalls have been implemented by bridging rather than arp proxy. But I think this method is not quite what you want. To do what you're asking for, yes I think code changes are necessary. Best starting point in the kernel is probably /sys/netinet/if_ether.c. > > In opposite to Linux it seems to be impossible in OpenBSD to add > > proxy ARP entries only for a specific network interface (missing > > option for the ARP command) nor to disable proxy ARP at all for some > > interfaces (sysctl or ifconfig option). This is usual behaviour for BSD derived OS. To disable proxy ARP per-interface, I think it would need to be exported from the kernel via an ioctl and then exposed by an ifconfig option (as is done with the option to disable ARP entirely per-interface). Another option is to have a daemon connect to the network via BPF and answering ARP requests for you. This avoids the need for kernel changes. One such daemon is "choparp".
Re: Proxy ARP, but network interface specific - rdomains
Hi Alexey, Thank you for the 2 hints. I have to think about how vether can help in my case. Using routing domains is a solution that would be more obvious to me. But so far we decided not to use routing domains in any case (we are at OBSD 4.8). We don't know how stable they are in any cases an they would change our firewall concept. Maybe we have to rethink about this. Having the trusted interface in 2 routing domains (as far as I know not possible) and having a rdomain option for arp (doing the proxy arp entry) could be a nice solution. An other idea I had was to tag ARP resonse packets, that come via proxy arp routing table enties, but how to do this easyly? We have a selfmade packet filter for layer 2 packets, where we could check the tag at each interface. Hendrik -Original Message- From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of Alexey E. Suslikov Sent: Montag, 23. Januar 2012 16:58 To: tech@openbsd.org Subject: Re: Proxy ARP, but network interface specific Alexey E. Suslikov gmail.com> writes: > > So it seems that some code change is necessary. Are there some solutions, > > hints or papers or some ideas that could help us ? > > You can try to cook something using vether(4) and bridge(4). ... or maybe using rdomain - man ifconfig(4) Alexey
Re: Proxy ARP, but network interface specific
Hi Alexey, Thank you for the 2 hints. I have to think about how vether can help in my case. Using routing domains is a solution that would be more obvious to me. But so far we decided not to use routing domains in any case (we are at OBSD 4.8). We don't know how stable they are in any cases an they would change our firewall concept. Maybe we have to rethink about this. An other idea I had was to tag ARP resonse packets, that come via proxy arp routing table enties, but how to do this easyly? We have a selfmade packet filter for layer 2 packets, where we could check the tag at each interface. Hendrik -Original Message- From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of Alexey E. Suslikov Sent: Montag, 23. Januar 2012 16:58 To: tech@openbsd.org Subject: Re: Proxy ARP, but network interface specific Alexey E. Suslikov gmail.com> writes: > > So it seems that some code change is necessary. Are there some solutions, > > hints or papers or some ideas that could help us ? > > You can try to cook something using vether(4) and bridge(4). ... or maybe using rdomain - man ifconfig(4) Alexey
Re: Proxy ARP, but network interface specific
Hi Gregory, I know the man page, but this doesn't help me. Normally Proxy ARP is used at a router. But we have the need to use it at a transparent Firewall. And there the proxied ARP requests are answered to both sides of the firewlll: the internal, trusted side (like wanted), but also to the external untrused side, from where an attacker could do a ARP-Scanning to uncover our proxy ARP entries. Hendrik -Original Message- From: owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] On Behalf Of Gregory Edigarov Sent: Montag, 23. Januar 2012 16:47 To: tech@openbsd.org Subject: Re: Proxy ARP, but network interface specific On Mon, 23 Jan 2012 12:11:26 +0100 "Gerlach, Hendrik" wrote: > Hi, > > we use OpenBSD in a transparent firewall configuration. > > Because of different reasons we have the need for proxy-ARP at > firewall's internal network interface. To avoid information lost > (e.g. by ARP-Scanning) at the external interface it's necessary to > allow proxy ARP only for the internal side and not at the external > interface. man 8 arp: hostname ether_addr [temp | permanent] [pub] The entry will be static (will not time out) unless the word temp is given in the command. A static ARP entry can be overwritten by network traffic, unless the word permanent is given. If the word pub is given, the entry will be ``published''; that is, this system will act as an ARP server, responding to requests for hostname even though the host address is not its own. This behavior has traditionally been called proxy ARP. > In opposite to Linux it seems to be impossible in OpenBSD to add > proxy ARP entries only for a specific network interface (missing > option for the ARP command) nor to disable proxy ARP at all for some > interfaces (sysctl or ifconfig option). > > So it seems that some code change is necessary. Are there some > solutions, hints or papers or some ideas that could help us ? > > > -- > Hendrik
Re: Proxy ARP, but network interface specific
Alexey E. Suslikov gmail.com> writes: > > So it seems that some code change is necessary. Are there some solutions, > > hints or papers or some ideas that could help us ? > > You can try to cook something using vether(4) and bridge(4). ... or maybe using rdomain - man ifconfig(4) Alexey
Re: Proxy ARP, but network interface specific
On Mon, 23 Jan 2012 12:11:26 +0100 "Gerlach, Hendrik" wrote: > Hi, > > we use OpenBSD in a transparent firewall configuration. > > Because of different reasons we have the need for proxy-ARP at > firewall's internal network interface. To avoid information lost > (e.g. by ARP-Scanning) at the external interface it's necessary to > allow proxy ARP only for the internal side and not at the external > interface. man 8 arp: hostname ether_addr [temp | permanent] [pub] The entry will be static (will not time out) unless the word temp is given in the command. A static ARP entry can be overwritten by network traffic, unless the word permanent is given. If the word pub is given, the entry will be ``published''; that is, this system will act as an ARP server, responding to requests for hostname even though the host address is not its own. This behavior has traditionally been called proxy ARP. > In opposite to Linux it seems to be impossible in OpenBSD to add > proxy ARP entries only for a specific network interface (missing > option for the ARP command) nor to disable proxy ARP at all for some > interfaces (sysctl or ifconfig option). > > So it seems that some code change is necessary. Are there some > solutions, hints or papers or some ideas that could help us ? > > > -- > Hendrik
Re: Proxy ARP, but network interface specific
Gerlach, Hendrik siemens.com> writes: > In opposite to Linux it seems to be impossible in OpenBSD to add proxy ARP > entries only for a specific network interface (missing option for the ARP > command) nor to disable proxy ARP at all for some interfaces (sysctl or > ifconfig option). > > So it seems that some code change is necessary. Are there some solutions, > hints or papers or some ideas that could help us ? You can try to cook something using vether(4) and bridge(4). Alexey
Proxy ARP, but network interface specific
Hi, we use OpenBSD in a transparent firewall configuration. Because of different reasons we have the need for proxy-ARP at firewall's internal network interface. To avoid information lost (e.g. by ARP-Scanning) at the external interface it's necessary to allow proxy ARP only for the internal side and not at the external interface. In opposite to Linux it seems to be impossible in OpenBSD to add proxy ARP entries only for a specific network interface (missing option for the ARP command) nor to disable proxy ARP at all for some interfaces (sysctl or ifconfig option). So it seems that some code change is necessary. Are there some solutions, hints or papers or some ideas that could help us ? -- Hendrik