Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ipguard(8)		    System Manager's Manual		    ipguard(8)

NAME
       ipguard - tool designed to protect Ethernet LAN IP address space	by ARP
       spoofing.

SYNOPSIS
       ipguard [-h] [-ajgrxziovd] [-f ethers] [-l log] [-p pid]	[-m  mac]  [-c
       filter] [-u seconds] [-k	seconds] [-n fakes] [-t	mseconds] [-b buf] [-s
       user] <iface>

DESCRIPTION
       ipguard listens network for ARP packets.	 All  permitted	 MAC-IP	 pairs
       listed  in 'ethers' file. If it receives	one with MAC-IP	pair, which is
       not listed in 'ethers' file, it will send  ARP  reply  with  configured
       fake  address. This will	prevent	not permitted host to work properly in
       local ethernet segment.

OPTIONS
       -f | -e	ethers
	      Ethers file. Format of `ethers' file described  in  `ethers.sam-
	      ple' and ethers(5). Default `/etc/ethers'.

       -l  log
	      Log file.	Default	`/var/log/ipguard_<iface>.log'.

       -p  pid
	      Pid file.	Default	`/var/run/ipguard_<iface>.pid'.

       -m  mac
	      Fake  MAC	 address. Will be sent in ARP reply as MAC of unlisted
	      computer.	Default	`de:ad:xx:xx:xx:xx', `x' == random hex number.

       -c  filter
	      PCAP filter expression. Default no filter.

       -u  seconds
	      Update ethers interval. Time between checks  `ethers'  file  for
	      changes and rescan if any. Default 0 == no autoupdate.

       -k  seconds
	      Periodic	regenerate  fake MAC address. Default 0	== no regener-
	      ate.

       -n  fakes
	      Fake replies number. Default 2 replies.

       -t  mseconds
	      Time between fakes. Default 50 milliseconds.

       -b  buf
	      MAC buffer size. Number of last bad MAC-IP pairs stored in  buf-
	      fer. Default 0 ==	no buffer.

       -s  user
	      Drop root	privileges to user. Default do not drop.

       -a     No address substitution. Like 0.0.0.0 or 00:00:00:00:00:00.

       -j     Disable first MAC-IP pair	autodetect from	interface.

       -g     Default to grant.	Do not block MAC or IP if both not in list.

       -r     Read only. Do not	send anything to net. Only listen.

       -x     Duplex mode. Send	fake packets not only to pirate	but to request
	      for pirate's address too.

       -z     Send broadcast who-has to	fix all	client ARP  tables  broked  by
	      pirate.

       -i     Hidden mode. Do not block	gratuitous ARP packets.

       -o     Promiscuous mode.	Enable promiscuous mode. Usually useless.

       -v     Verbose. Some more messages.

       -d     Don't  fork.  Do	not  go	 to background and write all events to
	      STDERR.

       -dd    Debug

       -ddd   Debug more

       -h     Help. Short command line parameters description.

EXAMPLES
       Normal recommended mode,	duplex,	broadcast fix, autoupdate  /etc/ethers
       every 5 min:
	      ipguard -xz -u 300 fxp0

       Same but	with PCAP filter for only 192.168.1.0/24 network:
	      ipguard -xz -u 300 -c 'net 192.168.0.0/24' fxp0

       Read-only  mode and remember last 100 not listed	in `ethers' MACs. Use-
       ful for initial MAC-IP pairs collection:
	      ipguard -r -b 100	-f /dev/null rl0

       Run ipguard for a while then `killall -USR2  ipguard'  and  you'll  get
       dump of 100 most	recent MAC-IP pairs.

       Do not go to background and be more verbose, with test ethers file:
	      ipguard -vd -f /tmp/ethers my1

TIPS
       First  MAC-IP  pair  in	`ethers' always	must be	self MAC/IP addresses.
       Normally	them automatically taken from  listening  interface.   But  if
       `-j'  option  specified	then  make  sure  that	first pair is a	source
       MAC/IP.

       If you want to start more than one ipguard on segment  for  redundancy,
       you  must  specify  same	 fake  MAC  address for	every ipguard and find
       method to synchronize `ethers' files.

SIGNALS
       SIGHUP rescan `ethers' and reopen log file

       SIGUSR1
	      dump some	tables and statistics

       SIGUSR2
	      dump new MAC-IP table in ethers(5) format

FILES
       /etc/ethers
	      MAC-IP pairs list

       /var/log/ipguard_<iface>.log
	      log file

       /var/run/ipguard_<iface>.pid
	      pid file

SEE ALSO
       RFC 826,	ethers(5), tcpdump(1), pcap(3),	libnet

BUGS
       Do not use wildcard IP  0.0.0.0	in  `ethers'  with  -x	option.	 Legal
       clients will be banned. Discovered by irix.

       Strange	bug with libnet_get_hwaddr() isn't working on OpenBSD 4.0 dis-
       covered by irix.	Use -j option.

       ipguard will not	prevent	changing MAC address along with	IP by pirate.

       Signals HUP, USR1 or USR2 works only when received new ARP packet. It's
       not a bug, it's a feature.

       When  using  -s	<user>	option ipguard will drop root privileges after
       creating	log and	pid files. So it  will	not  delete  or	 reopen	 these
       files.

       Probably	too many command line options. Another one or two and i'll put
       them all	into /etc/ethers as comments.

       ipguard was written as simple small tool	and i haven't  any  plans  for
       support of external databases SQL/LDAP/Whatever.	Use scripts.

AUTHOR
       SeaD <sead at deep.perm.ru>

								    ipguard(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | TIPS | SIGNALS | FILES | SEE ALSO | BUGS | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ipguard&sektion=8&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help