Sunday, January 18, 2004

Using Sysctl on FreeBSD

I read a thread on FreeBSD-Security about seeing ARP messages on FreeBSD servers acting as firewalls or gateways. Essentially FreeBSD reports seeing the MAC address for the upstream gateway flip-flop. In other words, the upstream gateway reports MAC address X, then Y, then X, and so on.

The replies in the thread reported using sysctl to change kernel state. How could you figure this out if you didn't know the appropriate variable to change?

First, use grep with sysctl to see if any variables involve ARP:

bash-2.05b$ sysctl -a | grep -i arp 1 1

These look interesting. What do they mean?

bash-2.05b$ sysctl -d log arp packets arriving on the wrong interface

bash-2.05b$ sysctl -d log arp replies from MACs different
than the one in the cache

We can disable either of these variables using syntax like the following:

bash-2.05b$ sudo sysctl
Password: 1 -> 0

You can set it back to the default by setting the value=1. To make this a permanent change, make the following entry in the /boot/loader.conf: 1