Re: Keeping track of MAC addresses
On Thu, 21 Feb 2019 at 07:15, wrote: > > > did you take a look at net/arpwatch? > > Too many emails; email to root is not a useful mechanism for me. arpwatch could be configured to send emails to an address other than root. At the time I was using it, the --help showed a command line option for specifying alternative email addresses, but it did not work then. It's been many years since I used it, so this may have changed, but I had to adjust #define's for WATCHER and WATCHEE, to hard code alternative email addresses into the binary. Combined with an email to SMS text message gateway service, this gave my manager and I almost instant notification when staff with physical access added hosts to certain networks they were not permitted to. Shane
Re: Keeping track of MAC addresses
On 20/02/2019 23:38, Henry Bonath wrote: > Not sure if this is what you are looking for, but I like Netdisco for this. > It uses SNMP to query network routers, switches, and access points, > and dumps out their TCAM as well as ARP tables into a Database in > order to preserve a history of not only what MAC Address was mapped to > what IP Address, but also what switchport or Access Point it was > attached to. > > It uses an external PostgreSQL Database, and is written in Perl. > As far as I know, it is not available in any Packaged form for > OpenBSD, but I assume is probably manually installable. > > It's great for tracking down if a device drops off the network, and > being able to track down where it last was plugged in. NAV is also an option https://nav.uninett.no/ G
Re: Keeping track of MAC addresses
On Wed, Feb 20, 2019 at 01:05:59PM -0700, j...@bitminer.ca wrote: > > > > did you take a look at net/arpwatch? > > Too many emails; email to root is not a useful mechanism for me. > And net/arpwatch does not handle IPv6. I'll use the route message ABI if I had to do what you are looking for.
Re: Keeping track of MAC addresses
Not sure if this is what you are looking for, but I like Netdisco for this. It uses SNMP to query network routers, switches, and access points, and dumps out their TCAM as well as ARP tables into a Database in order to preserve a history of not only what MAC Address was mapped to what IP Address, but also what switchport or Access Point it was attached to. It uses an external PostgreSQL Database, and is written in Perl. As far as I know, it is not available in any Packaged form for OpenBSD, but I assume is probably manually installable. It's great for tracking down if a device drops off the network, and being able to track down where it last was plugged in. On Wed, Feb 20, 2019 at 12:42 PM wrote: > > > I would like to keep tabs on the MAC/IP addresses in my secure net. > > I do know how to do this, but keeping track of ethernet MAC addresses > > seems > > quite cumbersome in OpenBSD, not that it is more convenient in any > > other > > general purpose operating system but many interfaces for ex. routers > > make it > > easy to manage, especially MAC filtering. > > > > At the moment we have: > > > > /etc/ethers file #not the same as arp -s and arp -f !! > > arp -a output > > arp -s and arp -f input # not the same as /etc/ethers!! > > The apps in ports don't seem to do what you (or I) want. After looking > them over, > in the end I wrote a sh script to compare `arp -an` output with a list > of "known" MACs, and it would notice when a new MAC appeared or an > existing > MAC disappeared (most everything is on a wireless DHCP so lots of > transient > behaviour). > > When a new one appears, or an existing one disappears, it logs to > syslog. > > Previously unseen MACs are logged slightly differently, so the network > management > app can issue an alert. > > In general I think the average home network is approximately similar or > even more > complex than a simple small business network. So lots of management > features > are worthwhile: segmentation, MAC and IP surveillance, and a network > management > app. > > > --J >
Re: Keeping track of MAC addresses
On 2019-02-20 10:59, Solene Rapenne wrote: On Wed, Feb 20, 2019 at 10:36:16AM -0700, j...@bitminer.ca wrote: ... The apps in ports don't seem to do what you (or I) want. After looking them over, in the end I wrote a sh script to compare `arp -an` output with a list of "known" MACs, and it would notice when a new MAC appeared or an existing MAC disappeared (most everything is on a wireless DHCP so lots of transient behaviour). When a new one appears, or an existing one disappears, it logs to syslog. ... did you take a look at net/arpwatch? Too many emails; email to root is not a useful mechanism for me.
Re: Keeping track of MAC addresses
On Wed, Feb 20, 2019 at 10:36:16AM -0700, j...@bitminer.ca wrote: > > I would like to keep tabs on the MAC/IP addresses in my secure net. > > I do know how to do this, but keeping track of ethernet MAC addresses > > seems > > quite cumbersome in OpenBSD, not that it is more convenient in any other > > general purpose operating system but many interfaces for ex. routers > > make it > > easy to manage, especially MAC filtering. > > > > At the moment we have: > > > > /etc/ethers file #not the same as arp -s and arp -f !! > > arp -a output > > arp -s and arp -f input # not the same as /etc/ethers!! > > The apps in ports don't seem to do what you (or I) want. After looking them > over, > in the end I wrote a sh script to compare `arp -an` output with a list > of "known" MACs, and it would notice when a new MAC appeared or an existing > MAC disappeared (most everything is on a wireless DHCP so lots of transient > behaviour). > > When a new one appears, or an existing one disappears, it logs to syslog. > > Previously unseen MACs are logged slightly differently, so the network > management > app can issue an alert. > > In general I think the average home network is approximately similar or even > more > complex than a simple small business network. So lots of management > features > are worthwhile: segmentation, MAC and IP surveillance, and a network > management > app. > > > --J > did you take a look at net/arpwatch?
Re: Keeping track of MAC addresses
I would like to keep tabs on the MAC/IP addresses in my secure net. I do know how to do this, but keeping track of ethernet MAC addresses seems quite cumbersome in OpenBSD, not that it is more convenient in any other general purpose operating system but many interfaces for ex. routers make it easy to manage, especially MAC filtering. At the moment we have: /etc/ethers file #not the same as arp -s and arp -f !! arp -a output arp -s and arp -f input # not the same as /etc/ethers!! The apps in ports don't seem to do what you (or I) want. After looking them over, in the end I wrote a sh script to compare `arp -an` output with a list of "known" MACs, and it would notice when a new MAC appeared or an existing MAC disappeared (most everything is on a wireless DHCP so lots of transient behaviour). When a new one appears, or an existing one disappears, it logs to syslog. Previously unseen MACs are logged slightly differently, so the network management app can issue an alert. In general I think the average home network is approximately similar or even more complex than a simple small business network. So lots of management features are worthwhile: segmentation, MAC and IP surveillance, and a network management app. --J
Re: keeping track of MAC addresses
On 2019-02-14 02:01, mailingli...@dotbit.ro wrote: I would like to keep tabs on the MAC/IP addresses in my secure net. I do know how to do this, but keeping track of ethernet MAC addresses seems quite cumbersome in OpenBSD, not that it is more convenient in any other general purpose operating system but many interfaces for ex. routers make it easy to manage, especially MAC filtering. Perhaps look at the "arpwatch" package in ports, which may be applicable. But... you know that both ARP and MAC addresses can be trivially spoofed, right? Just using /etc/ethers instead of ARP does *not* make your network secure. Some "intelligent" switches do ARP sniffing to populate their internal hardware FIBs. (Yes, that's a dumb idea. Switch vendors still do it.) Disabling ARP on your hosts is... not generally a good idea. PS: after running ifconfig em0 -arp my Allied Telesis AT-GS950-16 managed switch took the link down and refuses to bring it back up on the same port without a reset. Other ports work fine. I won't say this is impossible, but it seems unlikely. I think it's more likely the lack of ARP traffic on the port caused the switch to do something "interesting" with IP traffic destined for this host. Or maybe something else triggered storm-prevention features in the switch? Running an ifconfig(8) command should not be able to persistently shut down a switch port in any network environment. Did you observe the link lights on the NIC and switch actually turn off and stay off? As I have already mentioned I can manage by myself, but it seems to me that this is something that a lot of people would want. Not so much, AFAIK. Disabling core IP protocols usually generates more problems than it solves. Let us know how disabling/blocking ICMPv6 works out for you... ;-) [Hint: that's a trick question. You can't run IPv6 without ICMPv6.] You could filter on MAC addresses instead of restricting ARP: https://www.openbsd.org/faq/pf/tagging.html#ethernet That requires using bridge(4) which apparently is on its way out, and I don't know if the replacement (switch(4)) supports filtering packets based on MAC address or not - it's OpenFlow-compliant, so there has to be a way, but it may or may not be easily accessible from inside OpenBSD. You may also want to assign new MAC addresses to your hosts, both to eliminate the need to gather the MACs, and to simplify maintenance (e.g. the labour involved in replacing a NIC on a server or a motherboard is O(n^2) with hardware-bound MAC addresses in your setup, instead of O(1)). There are special LAAs (Locally-Assigned Addresses) that you can use for this. OpenBSD supports setting a locally-assigned MAC address with ifconfig(8) "lladdr" option. Good luck on your strange quest, -Adam
keeping track of MAC addresses
Hello, As I am tidying up my network by segregating it into secure, general inet access and guest networks. I would like to keep tabs on the MAC/IP addresses in my secure net. I do know how to do this, but keeping track of ethernet MAC addresses seems quite cumbersome in OpenBSD, not that it is more convenient in any other general purpose operating system but many interfaces for ex. routers make it easy to manage, especially MAC filtering. At the moment we have: /etc/ethers file #not the same as arp -s and arp -f !! arp -a output arp -s and arp -f input # not the same as /etc/ethers!! So what have I tried: ifconfig em0 -arp #in order to prevent discovery of unauthorized hosts arp -ad echo > /etc/ethers ping - ping: sendmsg: Host is down arp -s ping - response PS: after running ifconfig em0 -arp my Allied Telesis AT-GS950-16 managed switch took the link down and refuses to bring it back up on the same port without a reset. Other ports work fine. What can I do: Probably find some bloated program that introduces way more risc than the gain by keeping tabs on MAC addresses. Make a simple script that creates a hosts/unbound file and a file suitable for arp -f from a single master file containing MAC, IPv4 and hostname and then loads them. As I have already mentioned I can manage by myself, but it seems to me that this is something that a lot of people would want. Would it make sense to have arp read /etc/ethers? Is there another way than ifconfig em0 -arp to prevent auto-learning mac addresses from the ethernet network and have the mac addresses added as "static"? Awaiting imput if I am missing something, if there already is an elegant solution to my problem or if it is something that more people would like to have a solution for. Thanks, Dimitrios
