因为要更换服务器的操作系统,而以前Windows 2003上安装有arp防火墙,所以在freebsd上也要有一个对应的防范arp攻击的解决方案。在网上查了很多资料,无外乎两种解决方案,一种是专有的arp防护软件,另一种就是利用定时对网内宣告和自身绑定。
经过对比,第二种解决方案简单易行,而且配置也是很灵活的,网上大多也是这种解决方案。具体如何配置呢,下面我就按照我的实际配制方法,把步骤记录如下。
1、获取本机IP地址和网卡MAC地址
- ifconfig
会得到大概如下信息(多网卡)
- re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
- options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
- ether 00:1f:d0:6b:0a:60
- media: Ethernet autoselect (none)
- status: no carrier
- ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
- ether 00:25:86:20:48:5a
- inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
- media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/48Mbps)
- status: associated
- ssid onnets channel 11 (2462 Mhz 11g) bssid 00:1f:33:24:88:2c
- authmode OPEN privacy OFF txpower 31.5 bmiss 7 scanvalid 60 bgscan
- bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5
- protmode CTS burst
- plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
- lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
- inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
- inet6 ::1 prefixlen 128
- inet 127.0.0.1 netmask 0xff000000
将MAC与IP对照关系写到一个文件中:
- echo 192.168.1.3 00:25:86:20:48:5a > /etc/arp_ipmac.conf
2、定时绑定MAC并对内网广播
- crontab -e
输入以下内容并保存:
- */1 * * * * /usr/sbin/arp -f /etc/arp_ipmac.conf
这里的意思是,每分钟执行一次IP、MAC绑定并广播,大家可根据自己的具体情况调整定时的间隔时间。
本文地址:http://www.92csz.com/01/149.html如非注明则为本站原创文章,欢迎转载。转载请注明转载自:moon's blog