Can ARP broadcasts be blocked?

Archived from groups: comp.security.firewalls (More info?)

Hi,

Using sunscreen, can I be able to block ARP broadcasts also on SUN
solaris machine? When an IP address is plumbed on the SUN machine, I
dont want the ARP broadcast to be sent. Any ideas?

Regards,
Saju

Archived from groups: comp.security.firewalls (More info?)

>> To check: you do not want the SUN to -answer- ARP broadcasts,
>> or you do not want the SUN to -send- ARP broadcasts?

SUN should not be able to send ARP broadcasts.

And, I will not be able to add static ARP entries in all the machines
in the same subnet for access control reasons.

Also, even if I null-route all other addresses, ARP broadcasts will
reach the other machines. ARP broadcast when I plumb an IP address on
my solaris machine do reach the other solaris machines on the same
subnet (even when I have null-routing for this subnet).

Archived from groups: comp.security.firewalls (More info?)

>If there is no ARP and no static ARP, then there will be no communication with IP.

Actually that is my intend. For some point of time, I want this
particular solaris machine to be isolated (without taking out this
machine physically). During this time, I will be doing some operations
on this machine and that should not interfere with the outside world.

Example:
I have SUN solaris machines A (X.Y.Z.A), B (X.Y.Z.B) and C (X.Y.Z.C) in
the same subnet. machine B has the IP X.Y.Z.D (logical interface) also
plumbed on it.
Now, I want machine A to be isolated for sometime. I will apply
Sunscreen to A so that it wont interact with either B or C. But, during
this time I need to plumb the same IP X.Y.Z.D (which is already on B)
on machine A also. During this time, ARP broadcast should not go out so
that machine C updates its ARP cache with MAC of A.
After the desired time, I will unplumb the IP X.Y.Z.D on B and remove
the Sunscreen policies; Now, for the ARP caches to be updated with the
MAC of A for IP X.Y.Z.D, I will DOWN and UP the corresponding interface
on machine A using ifconfig.
Thats basically about it.

Archived from groups: comp.security.firewalls (More info?)

Some application need to come up on this machine A which will use this
IP.

Archived from groups: comp.security.firewalls (More info?)

I think what I will do disable ARP for the physical interface using
ifconfig command.
Thanks for all the suggestions.

Volker Birk wrote:
> Saju <sajugo@lucent.com> wrote:
> > Some application need to come up on this machine A which will use this
> > IP.
>
> Why not setting up a virtual interface with this IP then?
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"