On Mon, 31 Jan 2005, Vytautas Krakauskas wrote:
Is this supposed to be that way?
Yes.
If yes - why?
Because of routing.
Your ARP table defines how you should route packets on the local Ethernet once IP has decided the packet is destinated to the local Ethernet, not how others may route IP packets to you.
If you think about it in a large scope looking at your Internet router then this is very obvious. The Internet router is allowed to send packets to you with virtually any source IP address except maybe your local lan, but the same also applies to the local lan to various degrees depending on your network design.
Is there any way to tell kernel to ignore such packets, without using arptables/ebtables/iptables?
One very secure way would be to place each station in a separate VLAN (assuming you have a VLAN capable switch) and then use rp_filter to have the kernel automatically firewall/filter the sender addresses. If you need traffic between the local stations then proxy-arp for them.
arptables isn't really relevant to your question. It only controls how you react on ARP queries, not what others may send to you.
iptables is perhaps the most proper tool for the job, or maybe ebtables.
Regards Henrik - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
