# Lock ARP to specified IP address



## superhil (Aug 4, 2010)

I have a PC router

I want to lock client's ARP to specified IP address so he can't change his IP ( if he change his IP manually, he will be blocked) 

Is this will work ?

```
arp -s (IP/HOST) (ARP/MAC)
```
i think that doesn't work 

i need your help


----------



## SirDice (Aug 4, 2010)

If there's a router between the machine you're running this on and the client it won't work.

Simplest solution would be to remove the privilege to change his/her IP address from the machine (e.g. remove their administrator access).


----------



## aragon (Aug 4, 2010)

That should work...

Of course you'll need to save it in /etc/rc.conf so that it's restored at boot:


```
static_arp_pairs="blah bleh bloh"
static_arp_blah="1.2.3.4 11:22:33:44:55:66"
static_arp_bleh="1.2.3.5 22:33:44:55:66:77"
static_arp_bloh="1.2.3.6 33:44:55:66:77:88"
```


----------



## superhil (Aug 5, 2010)

aragon said:
			
		

> That should work...
> 
> Of course you'll need to save it in /etc/rc.conf so that it's restored at boot:
> 
> ...



thanks for answering my question

Is that script same with *arp -s* command ?


----------



## SirDice (Aug 5, 2010)

Keep in mind that it's rather trivial to change a MAC address on a machine.


----------



## aragon (Aug 5, 2010)

superhil said:
			
		

> Is that script same with *arp -s* command ?


The FreeBSD RC script in question uses arp -S.


----------



## paijo (Aug 10, 2010)

superhil said:
			
		

> thanks for answering my question
> 
> Is that script same with *arp -s* command ?



that command should work. if you use -S rather than -s, any existing ARP entry for the host/client will be deleted first.


----------

