Hello again! About this old problem with the static arp entries.. 20223 deny ip from 192.168.22.201 not MAC any 00:02:00:25:00:b6 any layer2 in 20223 deny ip from any to 192.168.22.201 not MAC 00:02:00:25:00:b6 any layer2 out There are these things in the ipfw list.. Don't these manage to get the same level of protection? In either case, if this works correctly.. Static arp entries could be changed with a little trick.. We could deny all other macs from the rest of the network not having a mac like ff:ff:ff:ff:ff.
Endre On 11/14/05, Bill Marquette <[EMAIL PROTECTED]> wrote: > If I remember how that feature works (since I enabled it - someone > else actually wrote the code I believe, I'd have to look back about 6 > months in cvs history!) it is supposed to do an arp -s for each IP in > the list and then an ifconfig staticarp. According to the FBSD man > page on ifconfig, staticarp doesn't do what I thought it did. > > staticarp > If the Address Resolution Protocol is enabled, the host will only > reply to requests for its addresses, and will never send any > requests. > > For some reason, this used to work as advertised I thought (at least, > that's the impression I got from the person that submitted the code > originally). This should in a round about way only allow the firewall > to communicate with devices in it's ARP table - maybe the devices that > are communicating with it are already in it's ARP table (although it > looks like it flushes the ARP table before adding the static entries, > but after setting staticarp, so nothing new should be added.) > > --Bill >
