DragonFly On-Line Manual Pages
ipguard(8) DragonFly System Manager's Manual ipguard(8)
NAME
ipguard - tool designed to protect Ethernet LAN IP address space by ARP
spoofing.
SYNOPSIS
ipguard [-h] [-ajgrxziovd] [-f ethers] [-l log] [-p pid] [-m mac] [-c
filter] [-u seconds] [-k seconds] [-n fakes] [-t mseconds] [-b buf] [-s
user] <iface>
DESCRIPTION
ipguard listens network for ARP packets. All permitted MAC-IP pairs
listed in 'ethers' file. If it receives one with MAC-IP pair, which is
not listed in 'ethers' file, it will send ARP reply with configured
fake address. This will prevent not permitted host to work properly in
local ethernet segment.
OPTIONS
-f | -e ethers
Ethers file. Format of `ethers' file described in
`ethers.sample' and ethers(5). Default `/etc/ethers'.
-l log
Log file. Default `/var/log/ipguard_<iface>.log'.
-p pid
Pid file. Default `/var/run/ipguard_<iface>.pid'.
-m mac
Fake MAC address. Will be sent in ARP reply as MAC of unlisted
computer. Default `de:ad:xx:xx:xx:xx', `x' == random hex number.
-c filter
PCAP filter expression. Default no filter.
-u seconds
Update ethers interval. Time between checks `ethers' file for
changes and rescan if any. Default 0 == no autoupdate.
-k seconds
Periodic regenerate fake MAC address. Default 0 == no
regenerate.
-n fakes
Fake replies number. Default 2 replies.
-t mseconds
Time between fakes. Default 50 milliseconds.
-b buf
MAC buffer size. Number of last bad MAC-IP pairs stored in
buffer. Default 0 == no buffer.
-s user
Drop root privileges to user. Default do not drop.
-a No address substitution. Like 0.0.0.0 or 00:00:00:00:00:00.
-j Disable first MAC-IP pair autodetect from interface.
-g Default to grant. Do not block MAC or IP if both not in list.
-r Read only. Do not send anything to net. Only listen.
-x Duplex mode. Send fake packets not only to pirate but to request
for pirate's address too.
-z Send broadcast who-has to fix all client ARP tables broked by
pirate.
-i Hidden mode. Do not block gratuitous ARP packets.
-o Promiscuous mode. Enable promiscuous mode. Usually useless.
-v Verbose. Some more messages.
-d Don't fork. Do not go to background and write all events to
STDERR.
-dd Debug
-ddd Debug more
-h Help. Short command line parameters description.
EXAMPLES
Normal recommended mode, duplex, broadcast fix, autoupdate /etc/ethers
every 5 min:
ipguard -xz -u 300 fxp0
Same but with PCAP filter for only 192.168.1.0/24 network:
ipguard -xz -u 300 -c 'net 192.168.0.0/24' fxp0
Read-only mode and remember last 100 not listed in `ethers' MACs.
Useful for initial MAC-IP pairs collection:
ipguard -r -b 100 -f /dev/null rl0
Run ipguard for a while then `killall -USR2 ipguard' and you'll get
dump of 100 most recent MAC-IP pairs.
Do not go to background and be more verbose, with test ethers file:
ipguard -vd -f /tmp/ethers my1
TIPS
First MAC-IP pair in `ethers' always must be self MAC/IP addresses.
Normally them automatically taken from listening interface. But if
`-j' option specified then make sure that first pair is a source
MAC/IP.
If you want to start more than one ipguard on segment for redundancy,
you must specify same fake MAC address for every ipguard and find
method to synchronize `ethers' files.
SIGNALS
SIGHUP rescan `ethers' and reopen log file
SIGUSR1
dump some tables and statistics
SIGUSR2
dump new MAC-IP table in ethers(5) format
FILES
/etc/ethers
MAC-IP pairs list
/var/log/ipguard_<iface>.log
log file
/var/run/ipguard_<iface>.pid
pid file
SEE ALSO
RFC 826, ethers(5), tcpdump(1), pcap(3), libnet
BUGS
Do not use wildcard IP 0.0.0.0 in `ethers' with -x option. Legal
clients will be banned. Discovered by irix.
Strange bug with libnet_get_hwaddr() isn't working on OpenBSD 4.0
discovered by irix. Use -j option.
ipguard will not prevent changing MAC address along with IP by pirate.
Signals HUP, USR1 or USR2 works only when received new ARP packet. It's
not a bug, it's a feature.
When using -s <user> option ipguard will drop root privileges after
creating log and pid files. So it will not delete or reopen these
files.
Probably too many command line options. Another one or two and i'll put
them all into /etc/ethers as comments.
ipguard was written as simple small tool and i haven't any plans for
support of external databases SQL/LDAP/Whatever. Use scripts.
AUTHOR
SeaD <sead at deep.perm.ru>
ipguard(8)