I've been working on setting up an nftables ARP table script and wanted to get some feedback.
My goal is to restrict ARP traffic so that only ARP replies to the gateway are allowed, blocking any other ARP types to prevent the MAC address of the device from being exposed.
I've added a permanent static ARP entry for the gateway, and it stops Debian from having to keep updating the cache. That works fine.
I've then created a script located at /etc/nftables.conf.d/arp-block.conf with the goal to drop all in bound ARP traffic expect that coming from the Gateway
Out bound wise, the goal was only allow replies to the gateway also (also blocking ARP announcements)
While this configuration successfully blocks unwanted ARP traffic in the input chain.
The outbound rule doesn't work.
I referenced the nftables documentation (see https://wiki.nftables.org/wiki-nftables ... utes#Ether) and according to the reference, saddr exists while daddr does not.
I took a glance at the source code (although I'm not proficient) and it suggested both to be present, but my observations matched the documentation and all out bound ARP traffic was dropped.
I've then moved to try and only allow arp operation reply, however, an ARP request isn't dropped...
Has anyone else experienced this issue or found a workaround for enforcing ARP restrictions in the output chain using ether daddr? Any insights or suggestions would be greatly appreciated!
Trying to not install arptables as it would defeat the purpose of having nftables.
Thanks in advance
My goal is to restrict ARP traffic so that only ARP replies to the gateway are allowed, blocking any other ARP types to prevent the MAC address of the device from being exposed.
I've added a permanent static ARP entry for the gateway, and it stops Debian from having to keep updating the cache. That works fine.
I've then created a script located at /etc/nftables.conf.d/arp-block.conf with the goal to drop all in bound ARP traffic expect that coming from the Gateway
Out bound wise, the goal was only allow replies to the gateway also (also blocking ARP announcements)
Code:
table arp filter { chain input { type filter hook input priority 0; policy drop; # Allow Ethernet traffic from the specific MAC address (MAC_ADDR_GATEWAY). ether saddr MAC_ADDR_GATEWAY log prefix "Gateway in: " counter packets 0 bytes 0 accept; log prefix "dropped in: " counter packets 0 bytes 0 } chain output { type filter hook output priority 0; policy drop; # Allow ARP replies to the gateway ether daddr MAC_ADDR_GATEWAY log prefix "Gateway out: " counter packets 0 bytes 0 accept; log prefix "dropped out: " counter packets 0 bytes 0 }}The outbound rule doesn't work.
I referenced the nftables documentation (see https://wiki.nftables.org/wiki-nftables ... utes#Ether) and according to the reference, saddr exists while daddr does not.
I took a glance at the source code (although I'm not proficient) and it suggested both to be present, but my observations matched the documentation and all out bound ARP traffic was dropped.
I've then moved to try and only allow arp operation reply, however, an ARP request isn't dropped...
Code:
# Replies are allowed ok, request aren't anywhere...arp operation { 1 } log prefix "Be request: "counter packets 0 bytes 0 drop;arp operation { 2 } log prefix "Be reply: " counter packets 0 bytes 0 accept;Trying to not install arptables as it would defeat the purpose of having nftables.
Thanks in advance
Statistics: Posted by aferreira — 2024-06-27 20:43 — Replies 0 — Views 40