Possible (or possibly painful) workaround for FreeBSD-SA-03:14.arp
Michael Sierchio
kudzu at tenebras.com
Wed Sep 24 08:56:14 PDT 2003
Of course you should patch/upgrade, etc. A stopgap measure
could be to use static ARP for a segment. I have done this
for a long time with wireless hosts, since I'm in an urban
environment with many visible nodes, some in autos, and
ARP cache poisoning is a well-known DoS against wireless.
You may find it extremely painful and less-than-useful to
have static IP addrs, etc. for hosts.
Here's a snippet of /usr/local/etc/rc.d/20-statarp.sh from
my FreeBSD host (192.168.1.1) serving as a wireless router
#! /bin/sh
PATH=/usr/sbin:/sbin
ifconfig wi0 -arp
arp -d -a 2>&1 > /dev/null
# wireless NICs
arp -s 192.168.1.1 00:02:2d:0e:00:40 2>&1 > /dev/null
arp -s 192.168.1.129 00:30:ab:14:11:46 2>&1 > /dev/null
arp -s 192.168.1.130 00:30:ab:14:11:f6 2>&1 > /dev/null
###$# many entries deleted ...
arp -s 192.168.1.195 00:30:ab:14:0f:89 2>&1 > /dev/null
# end
More information about the freebsd-security
mailing list