Luke Skywalker: "I don't believe it."
Yoda: "That is why you fail."
Where will you go today?
Where will you go today?
ArpON (Arp handler inspectiON) is a portable handler daemon with some nice tools to handle all ARP aspects.
It makes Arp a bit safer. This is possible using two kinds of anti Arp Poisoning techniques, the first is based on SARPI or “Static Arp Inspection”, the second on DARPI or “Dynamic Arp Inspection” approach.
Features of ArpON include:
The following is one possible way to use arpon with a dynamic setup using Network Manager. As the interface can change, we want arpon to manager the currently active interface.
We do this by simply having Network Manager tell arpon which interface to activate on.
Note that this depends on having
/usr/sbin/service. If you don't, then simply change
/usr/sbin/service arpon to the path of your arpon start script, and make sure you can run
/path/to/arpon-script start/stop <interface>.
/etc/defaults/apron, change DAEMON_OPTS and RUN.
... # For DARPI uncomment the following line DAEMON_OPTS="-i $2 -q -f /var/log/arpon/arpon.log -g -d" # Modify to RUN="yes" when you are ready RUN="yes"
You notice the
$2? Well, this is the interface that NM is passing on.
/etc/NetworkManager/dispatcher.d/50arpon. It will control arpon from NM. Here it is:
#!/bin/sh -e # Script to dispatch NetworkManager events # # Runs ifupdown scripts when NetworkManager fiddles with interfaces. # See NetworkManager(8) for further documentation of the dispatcher events. if [ -z "$1" ]; then echo "$0: called with no interface" 1>&2 exit 1; fi # Fake ifupdown environment export IFACE="$1" export LOGICAL="$1" export ADDRFAM="NetworkManager" export METHOD="NetworkManager" export VERBOSITY="0" # Run the right scripts case "$2" in up|vpn-up) export MODE="start" export PHASE="post-up" /usr/sbin/service arpon start $IFACE ;; down|vpn-down) export MODE="stop" export PHASE="post-down" /usr/sbin/service arpon stop $IFACE ;; # pre-up/pre-down not implemented. See # https://bugzilla.gnome.org/show_bug.cgi?id=387832 # pre-up) # export MODE="start" # export PHASE="pre-up" # exec run-parts /etc/network/if-pre-up.d # ;; # pre-down) # export MODE="stop" # export PHASE="pre-down" # exec run-parts /etc/network/if-down.d # ;; hostname) ;; *) echo "$0: called with unknown action \`$2'" 1>&2 exit 1 ;; esac
That's it. Pretty simple really. Oh, and make sure you disable arpon from starting with the machine. It is controlled by NM:
debian: update-rc.d arpon disable # redhat: chkconfig arpon disable systemctl disable arpon
Simple way to check is to verify the logs. The following appears to be working:
11:26:35 - Wait link connection on wlan0... 11:26:40 - DARPI on dev(wlan0) inet(192.168.0.2) hw(yy:yy:yy:yy:yy:yy) 11:26:40 - Deletes these Arp Cache entries: 11:26:40 - 1) 192.168.0.1 -> xx:xx:xx:xx:xx:xx 11:26:40 - Cache entry timeout: 500 milliseconds. 11:26:40 - Realtime Protect actived! 11:26:40 - Request >> Add entry 192.168.0.1 11:26:40 - Reply << Refresh entry 192.168.0.1 -> xx:xx:xx:xx:xx:xx
It's already adding arps and checking them.
However, if you start it and get this (and nothing more), it's probably not working:
11:15:04 - WARNING: eth0: no IPv4 address assigned
The above was Arpon trying to protect my disconnected ethernet cable (eth0) rather than my wifi (wlan0).
Of course, the only real method to see if it is working is to try to arp poision your own machine, but I'll leave that excersize to you…