lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 28 Nov 2011 08:54:09 -0600
From:	"Greg Scott" <GregScott@...rasupport.com>
To:	"David Lamparter" <equinox@...c24.net>
Cc:	<netdev@...r.kernel.org>
Subject: RE: ebtables on a stick

> This doesn't answer your question, but your use case is better solved
> with proxy arp.

Proxy arp scares me to death.  I lived through a disaster a few years ago when I messed up a whole colo site when I put in a box with its public NIC set up with Proxy arp.  If I understand what happens, that proxy-arped NIC answers ARP requests for everyone with its own MAC Address.  Fortunately for me, it only lasted a little while around 4AM one morning before I realized what was going on and took it down.  After I went through that experience I promised myself never again for proxy arp.

That's why I started looking at bridging.  

...But maybe there's a way to make my NIC only answer ARPs for certain IP Addresses I care about?  That would nicely solve the problem.  If it works.  

In my earlier near-disaster, I did this:

echo 1 > /proc/sys/net/ipv4/conf/${INET_IFACE}/proxy_arp

to turn on proxy arp.  I wonder if that ip neighbor stuff does it selectively?  

- Greg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ