Advanced Arp Settings - D-Link NetDefend DFL-210 User Manual

3.4.5. Advanced ARP Settings

There are two publishing modes; Publish and XPublish. The difference between the two is that
XPublish "lies" about the sender Ethernet address in the Ethernet header; this is set to be the same as
the published Ethernet address rather than the actual Ethernet address of the Ethernet interface. If a
published Ethernet address is the same as the Ethernet address of the interface, it will make no
difference if you select Publish or XPublish, the result will be the same.
3.4.5. Advanced ARP Settings
This section presents some of the advanced settings related to ARP. In most cases, these settings
need not to be changed, but in some deployments, modifications might be needed. Most can be
found in the WebUI by going to ARP > Advanced Settings.
Multicast and Broadcast
ARP requests and ARP replies containing multicast or broadcast addresses are usually never correct,
with the exception of certain load balancing and redundancy devices, which make use of hardware
layer multicast addresses.
The default behaviour of NetDefendOS is to drop and log such ARP requests and ARP replies. This
can however be changed by modifying the Advanced Settings ARPMulticast and ARPBroadcast.
Unsolicited ARP Replies
It is fully possible for a host on the LAN to send an ARP reply to the firewall, even though a
corresponding ARP request has not been issued. According to the ARP specification, the recipient
should accept these types of ARP replies. However, because this can facilitate hijacking of local
connections, NetDefendOS will normally drop and log such replies.
The behavior can be changed by modifying the Advanced Setting UnsolicitedARPReplies.
ARP Requests
The ARP specification states that a host should update its ARP Cache with data from ARP requests
received from other hosts. However, as this procedure can facilitate hijacking of local connections,
NetDefendOS will normally not allow this.
To make the behavior compliant with the RFC 826 specification, the administrator can modify the
Adavnced Setting ARPRequests. Even if ARPRequests is set to "Drop", meaning that the packet is
discarded without being stored, the system will, provided that other rules approve the request, reply
to it.
Changes to the ARP Cache
NetDefendOS provides a few settings controlling how to manage changes to the ARP cache.
Possibly, a received ARP reply or ARP request would alter an existing item in the ARP cache.
Allowing this to take place may allow hijacking of local connections. However, not allowing this
may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept
the new address until the previous ARP cache entry has timed out.
The Advanced Setting ARPChanges can be adjusted to change the behavior. The default behaviour
is that NetDefendOS will allow changes to take place, but all such changes will be logged.
Another, similar, situation is where information in ARP replies or ARP requests would collide with
static entries in the ARP cache. Naturally, this is never allowed to happen. However, changing the
Adavnced Setting StaticARPChanges allow the administrator to specify whether or not such
Tip
In the configuration of ARP entires, addresses may only be published one at a time.
However, you can use the ProxyARP feature to handle publishing of entire networks
(see Section 4.2.4, "Proxy ARP").
71
Chapter 3. Fundamentals