There is well known problem arp poisoning problem in FreeBSD. If arp reply is received without request FreeBSD logs error into syslog, but changes arp table entry. It makes possibility for local atacker to change arp cache entry. In network this behaviour can only occure when adapter changes it's MAC address. Attached is patch to check old MAC address before changing arp entry by sending unicast arp request to this MAC. If old MAC replies, no changes to arp table is made and attack is logged. Same patch for linux was published by Buggzy. Patch was tested for FreeBSD 4.6 - 5.0. To apply patch do: download http://freecap.ru/if_ether.c.patch # cd /sys/netinet # patch < /path/to/patch and rebuild the kernel.
