On 2019-02-14 02:01, mailingli...@dotbit.ro wrote:
I would like to keep tabs on the MAC/IP addresses in my secure net.
I do know how to do this, but keeping track of ethernet MAC addresses
seems
quite cumbersome in OpenBSD, not that it is more convenient in any
other
general purpose operating system but many interfaces for ex. routers
make it
easy to manage, especially MAC filtering.
Perhaps look at the "arpwatch" package in ports, which may be
applicable.
But... you know that both ARP and MAC addresses can be trivially
spoofed, right? Just using /etc/ethers instead of ARP does *not* make
your network secure.
Some "intelligent" switches do ARP sniffing to populate their internal
hardware FIBs. (Yes, that's a dumb idea. Switch vendors still do it.)
Disabling ARP on your hosts is... not generally a good idea.
PS: after running ifconfig em0 -arp my Allied Telesis AT-GS950-16
managed
switch took the link down and refuses to bring it back up on the same
port
without a reset. Other ports work fine.
I won't say this is impossible, but it seems unlikely. I think it's
more likely the lack of ARP traffic on the port caused the switch to do
something "interesting" with IP traffic destined for this host. Or
maybe something else triggered storm-prevention features in the switch?
Running an ifconfig(8) command should not be able to persistently shut
down a switch port in any network environment. Did you observe the link
lights on the NIC and switch actually turn off and stay off?
As I have already mentioned I can manage by myself, but it seems to me
that
this is something that a lot of people would want.
Not so much, AFAIK. Disabling core IP protocols usually generates more
problems than it solves. Let us know how disabling/blocking ICMPv6
works out for you... ;-) [Hint: that's a trick question. You can't run
IPv6 without ICMPv6.]
You could filter on MAC addresses instead of restricting ARP:
https://www.openbsd.org/faq/pf/tagging.html#ethernet That requires
using bridge(4) which apparently is on its way out, and I don't know if
the replacement (switch(4)) supports filtering packets based on MAC
address or not - it's OpenFlow-compliant, so there has to be a way, but
it may or may not be easily accessible from inside OpenBSD.
You may also want to assign new MAC addresses to your hosts, both to
eliminate the need to gather the MACs, and to simplify maintenance (e.g.
the labour involved in replacing a NIC on a server or a motherboard is
O(n^2) with hardware-bound MAC addresses in your setup, instead of
O(1)). There are special LAAs (Locally-Assigned Addresses) that you can
use for this. OpenBSD supports setting a locally-assigned MAC address
with ifconfig(8) "lladdr" option.
Good luck on your strange quest,
-Adam
