tech-net: rc.d script for adding static ARP entries

Subject: rc.d script for adding static ARP entries
To: None <tech-net@netbsd.org>
From: Geert Hendrickx <geert.hendrickx@ua.ac.be>
List: tech-net
Date: 08/23/2005 16:47:26
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I've created an rc.d script (staticarp) to add static ARP entries, listed
in /etc/arp.conf, at boot time.  This can help prevent IP spoofing attacks,
since static ARP entries cannot be altered by (spoofed) ARP reply packets
floating around your network, they are permanent.  

I also wrote a manpage for arp.conf, somewhat modelled after route.conf(5)
(staticarp and arp.conf are named in analogy to staticroute and route.conf,
as suggested by Nino Dehne on tech-security:
http://mail-index.netbsd.org/tech-security/2005/06/28/0007.html ).

GH

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=staticarp

#!/bin/sh
#
# $NetBSD$
#

# PROVIDE: staticarp
# REQUIRE: NETWORKING mountcritremote
# BEFORE: SERVERS

. /etc/rc.subr

name="staticarp"
rcvar="staticarp"
command="/usr/sbin/arp"
conf_file="/etc/arp.conf"
required_files="${conf_file}"
command_args="-f ${conf_file}"
stop_cmd=":"

load_rc_config $name
run_rc_command "$1"

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="rc.conf.diff"

--- etc/defaults/rc.conf.orig	2005-08-23 16:43:01.000000000 +0200
+++ etc/defaults/rc.conf	2005-08-23 16:45:11.000000000 +0200
@@ -154,6 +154,7 @@
 ip6mode=host					# host, autohost or router
 ip6sitelocal=NO					# IPv6 sitelocal addrs
 rtsol=NO		rtsol_flags="-a"	# for ip6mode=autohost only
+staticarp=NO					# uses /etc/arp.conf
 
 # Special treatment for interfaces that need to be downed on
 # shutdown (because they might cause unecessary costs or block resources

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="arp.conf.5"

.Dd August 23, 2005
.Dt ARP.CONF 5
.Os
.Sh NAME
.Nm arp.conf
.Nd static ARP entries file
.Sh DESCRIPTION
The 
.Nm
file is read by the
.Pa staticarp
.Xr rc.d 8
script during system start-up, and is intended for adding static
entries to the ARP table (Internet-to-Ethernet address mapping).
This can help preventing IP spoofing attacks.  
.Pp
All lines must be of the form 
.Dl hostname ether_addr
e.g.,
.Dl 192.168.1.2 01:23:45:67:89:ab
.Pp
Comments or empty lines are not allowed.
See 
.Xr arp 8
for more details about the file format.
.Sh IMPORTANT
Do 
.Ic NOT 
use the
.Xr arp 8
command itself to gather the hardware addresses!
This would completely defeat the purpose of preventing IP spoofing
attacks (since the addresses gathered this way could already be
spoofed).
Instead, manually check the hardware address on each host, e.g., 
using the
.Xr ifconfig 8
command on UNIX hosts.
.RE
.Pp
.Sh FILES
.Bl -tag -width /etc/rc.d/staticarp
.It Pa /etc/arp.conf
The 
.Nm
file resides in
.Pa /etc .
.It Pa /etc/rc.d/staticarp
.Xr rc.d 8
script that parses route.conf.
.El
.Sh SEE ALSO
.Xr arp 8 ,
.Xr arp 4 ,
.Xr ifconfig 8
.Sh HISTORY
The
.Pa staticarp
rc.d
script appeared in 
.Nx 3.0 .

--sdtB3X0nJg68CQEu--