Is there a way to filter ARP on an OpenBSD bridge firewall joining a bunch of ethernet ports with their own VLANs? I'm horrified by the shared ethernet segments some organizations use for access among mutually un-trusting people.
Currently pf does allow me to prevent L3 games, but it seems like it's still possible to deny service by responding to another port's IP address, so the router will learn the wrong MAC address and the packets will be dropped by pf since they have the wrong IP destination for that port. I'm aware of static ARP, MAC filtering on the switch and DHCP snooping. I'm not too keen on trusting the latter, and the former two are a nightmare to manage (and I'd like to be able to use DHCP to hand out static addresses to some clueless people, while not forcing DHCP on some machines.) I also would rather avoid wasting obscene amounts of IP addresses by giving each vlan its own subnet. This is the classic "hotel" scenario, for which I can find many dissatisfactory solutions (either DHCP snooping or cisco "private" vlans that won't allow communication within the subnet without silly proxy arp hacks on the router), and scary examples of shared ethernet segments with windows broadcasts storming in... General ideas on securing ethernet are also welcome (I don't really like the idea of having separate servers sharing a subnet, either - and we had a discussion about the wrong solutions a while ago.) -- Jussi Peltola
