Hi Gregory, I know the man page, but this doesn't help me. Normally Proxy ARP is used at a router. But we have the need to use it at a transparent Firewall.
And there the proxied ARP requests are answered to both sides of the firewlll: the internal, trusted side (like wanted), but also to the external untrused side, from where an attacker could do a ARP-Scanning to uncover our proxy ARP entries. Hendrik -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Gregory Edigarov Sent: Montag, 23. Januar 2012 16:47 To: [email protected] Subject: Re: Proxy ARP, but network interface specific On Mon, 23 Jan 2012 12:11:26 +0100 "Gerlach, Hendrik" <[email protected]> wrote: > Hi, > > we use OpenBSD in a transparent firewall configuration. > > Because of different reasons we have the need for proxy-ARP at > firewall's internal network interface. To avoid information lost > (e.g. by ARP-Scanning) at the external interface it's necessary to > allow proxy ARP only for the internal side and not at the external > interface. man 8 arp: hostname ether_addr [temp | permanent] [pub] The entry will be static (will not time out) unless the word temp is given in the command. A static ARP entry can be overwritten by network traffic, unless the word permanent is given. If the word pub is given, the entry will be ``published''; that is, this system will act as an ARP server, responding to requests for hostname even though the host address is not its own. This behavior has traditionally been called proxy ARP. > In opposite to Linux it seems to be impossible in OpenBSD to add > proxy ARP entries only for a specific network interface (missing > option for the ARP command) nor to disable proxy ARP at all for some > interfaces (sysctl or ifconfig option). > > So it seems that some code change is necessary. Are there some > solutions, hints or papers or some ideas that could help us ? > > > -- > Hendrik
