Using Sysctl on FreeBSD

I read a thread on FreeBSD-Security about seeing ARP messages on FreeBSD servers acting as firewalls or gateways. Essentially FreeBSD reports seeing the MAC address for the upstream gateway flip-flop. In other words, the upstream gateway reports MAC address X, then Y, then X, and so on.

The replies in the thread reported using sysctl to change kernel state. How could you figure this out if you didn't know the appropriate variable to change?

First, use grep with sysctl to see if any variables involve ARP:

bash-2.05b$ sysctl -a | grep -i arp
net.link.ether.inet.log_arp_wrong_iface: 1
net.link.ether.inet.log_arp_movements: 1

These look interesting. What do they mean?

bash-2.05b$ sysctl -d net.link.ether.inet.log_arp_wrong_iface
net.link.ether.inet.log_arp_wrong_iface: log arp packets arriving on the wrong interface

bash-2.05b$ sysctl -d net.link.ether.inet.log_arp_movements
net.link.ether.inet.log_arp_movements: log arp replies from MACs different
than the one in the cache

We can disable either of these variables using syntax like the following:

bash-2.05b$ sudo sysctl net.link.ether.inet.log_arp_wrong_iface=0
Password:
net.link.ether.inet.log_arp_wrong_iface: 1 -> 0

You can set it back to the default by setting the value=1. To make this a permanent change, make the following entry in the /boot/loader.conf:

net.link.ether.inet.log_arp_wrong_iface: 1

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics