Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

ipguard(8)							    ipguard(8)

NAME
       ipguard - tool designed to protect Ethernet LAN IP address space by ARP
       spoofing.

SYNOPSIS
       ipguard [-h] [-ajgrxziovd] [-f ethers] [-l log] [-p pid] [-m  mac]  [-c
       filter] [-u seconds] [-k seconds] [-n fakes] [-t mseconds] [-b buf] [-s
       user] <iface>

DESCRIPTION
       ipguard listens network for ARP packets.	 All  permitted	 MAC-IP	 pairs
       listed  in 'ethers' file. If it receives one with MAC-IP pair, which is
       not listed in 'ethers' file, it will send  ARP  reply  with  configured
       fake  address. This will prevent not permitted host to work properly in
       local ethernet segment.

OPTIONS
       -f | -e	ethers
	      Ethers file. Format of `ethers' file described  in  `ethers.sam‐
	      ple' and ethers(5). Default `/etc/ethers'.

       -l  log
	      Log file. Default `/var/log/ipguard_<iface>.log'.

       -p  pid
	      Pid file. Default `/var/run/ipguard_<iface>.pid'.

       -m  mac
	      Fake  MAC	 address. Will be sent in ARP reply as MAC of unlisted
	      computer. Default `de:ad:xx:xx:xx:xx', `x' == random hex number.

       -c  filter
	      PCAP filter expression. Default no filter.

       -u  seconds
	      Update ethers interval. Time between checks  `ethers'  file  for
	      changes and rescan if any. Default 0 == no autoupdate.

       -k  seconds
	      Periodic	regenerate  fake MAC address. Default 0 == no regener‐
	      ate.

       -n  fakes
	      Fake replies number. Default 2 replies.

       -t  mseconds
	      Time between fakes. Default 50 milliseconds.

       -b  buf
	      MAC buffer size. Number of last bad MAC-IP pairs stored in  buf‐
	      fer. Default 0 == no buffer.

       -s  user
	      Drop root privileges to user. Default do not drop.

       -a     No address substitution. Like 0.0.0.0 or 00:00:00:00:00:00.

       -j     Disable first MAC-IP pair autodetect from interface.

       -g     Default to grant. Do not block MAC or IP if both not in list.

       -r     Read only. Do not send anything to net. Only listen.

       -x     Duplex mode. Send fake packets not only to pirate but to request
	      for pirate's address too.

       -z     Send broadcast who-has to fix all client ARP  tables  broked  by
	      pirate.

       -i     Hidden mode. Do not block gratuitous ARP packets.

       -o     Promiscuous mode. Enable promiscuous mode. Usually useless.

       -v     Verbose. Some more messages.

       -d     Don't  fork.  Do	not  go	 to background and write all events to
	      STDERR.

       -dd    Debug

       -ddd   Debug more

       -h     Help. Short command line parameters description.

EXAMPLES
       Normal recommended mode, duplex, broadcast fix, autoupdate  /etc/ethers
       every 5 min:
	      ipguard -xz -u 300 fxp0

       Same but with PCAP filter for only 192.168.1.0/24 network:
	      ipguard -xz -u 300 -c 'net 192.168.0.0/24' fxp0

       Read-only  mode and remember last 100 not listed in `ethers' MACs. Use‐
       ful for initial MAC-IP pairs collection:
	      ipguard -r -b 100 -f /dev/null rl0

       Run ipguard for a while then `killall -USR2  ipguard'  and  you'll  get
       dump of 100 most recent MAC-IP pairs.

       Do not go to background and be more verbose, with test ethers file:
	      ipguard -vd -f /tmp/ethers my1

TIPS
       First  MAC-IP  pair  in	`ethers' always must be self MAC/IP addresses.
       Normally them automatically taken from  listening  interface.   But  if
       `-j'  option  specified	then  make  sure  that	first pair is a source
       MAC/IP.

       If you want to start more than one ipguard on segment  for  redundancy,
       you  must  specify  same	 fake  MAC  address for every ipguard and find
       method to synchronize `ethers' files.

SIGNALS
       SIGHUP rescan `ethers' and reopen log file

       SIGUSR1
	      dump some tables and statistics

       SIGUSR2
	      dump new MAC-IP table in ethers(5) format

FILES
       /etc/ethers
	      MAC-IP pairs list

       /var/log/ipguard_<iface>.log
	      log file

       /var/run/ipguard_<iface>.pid
	      pid file

SEE ALSO
       RFC 826, ethers(5), tcpdump(1), pcap(3), libnet

BUGS
       Do not use wildcard IP  0.0.0.0	in  `ethers'  with  -x	option.	 Legal
       clients will be banned. Discovered by irix.

       Strange	bug with libnet_get_hwaddr() isn't working on OpenBSD 4.0 dis‐
       covered by irix. Use -j option.

       ipguard will not prevent changing MAC address along with IP by pirate.

       Signals HUP, USR1 or USR2 works only when received new ARP packet. It's
       not a bug, it's a feature.

       When  using  -s	<user>	option ipguard will drop root privileges after
       creating log and pid files. So it  will	not  delete  or	 reopen	 these
       files.

       Probably too many command line options. Another one or two and i'll put
       them all into /etc/ethers as comments.

       ipguard was written as simple small tool and i haven't  any  plans  for
       support of external databases SQL/LDAP/Whatever. Use scripts.

AUTHOR
       SeaD <sead at deep.perm.ru>

								    ipguard(8)

Vote for polarhome