download

Chapter 7There may be some rare circumstances when you want to disable ARPon an interface- for example when a special device is connected to yournetwork that cannot handle ARP requests. Otherwise, it is advised thatyou do not disable ARP on Ethernet interfaces.Static ARPThere are several methods by which a host can poison the ARP tables of other hostson the network by transmitting fake arp advertisements. When this happens, otherhosts are disabled from receiving traffic, or worse, traffic is redirected to another hostinstead of the actual network gateway.In order to prevent such attacks on an untrusted Ethernet network, you may wantto change the default behavior of ARP and prevent the host from learning ARPinformation from network.In this case you have to manually set up an ARP table for trusted hosts on yournetwork and instruct the system to not learn ARP advertisement from the wire. Thismethod is known as setting up static ARP.In order to set up static ARP entries, you should use the arp(8) utility. This utility iscovered in more detail later in this chapter. However, in order to simply add a staticarp entry to the system's ARP table, you may use the following command:# arp -s 192.168.0.151 00:c0:91:30:ab:cdThe above example shows how to statically map the IP address 192.168.0.151 toMAC address 00:c0:91:30:ab:cd.Once you finish setting up your trusted MAC address table, you should configureyour network interface to exclusively permit traffic for static ARP entries asshown here:# ifconfig xl0 staticarpThis will disable sending ARP requests to unknown addresses on the xl0 interfaceand relies on static ARP entries in the ARP table.To verify the operation, you should check the interface flags using ifconfig asshown in the following command:# ifconfig xl0 | grep flagsxl0: flags=88843metric 0 mtu 1500To disable Static ARP on an interface, you may use ifconfig with the-staticarp option.[ 117 ]