Date: Thu, 10 Oct 2002 03:09:57 +0200 From: Paul te Bokkel <paul@tebokkel.com> To: questions@freebsd.org Subject: Re: Setup routing entry for host with a non-local IP address] Message-ID: <20021010010957.GB4639@tebokkel.com>
next in thread | raw e-mail | index | archive | help
--UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Forgot to group-reply.. --UlVJffcvxoiEqYs2 Content-Type: message/rfc822 Content-Disposition: inline Date: Thu, 10 Oct 2002 03:05:35 +0200 From: Paul te Bokkel <paul@tebokkel.com> To: Matthew Dillon <dillon@apollo.backplane.com> Subject: Re: Setup routing entry for host with a non-local IP address Message-ID: <20021010010535.GA4639@tebokkel.com> References: <20021009151733.GA15162@melusine.cuivre.fr.eu.org> <20021009210242.GA34352@tebokkel.com> <3DA49D72.6070205@potentialtech.com> <200210092201.g99M1YTA007964@apollo.backplane.com> <20021010001956.GA58085@tebokkel.com> <200210100032.g9A0W3lI023123@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200210100032.g9A0W3lI023123@apollo.backplane.com> User-Agent: Mutt/1.4i On Wed, Oct 09, 2002 at 05:32:03PM -0700, Matthew Dillon wrote: > > :> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > :> inet 216.240.41.17 netmask 0xffffffc0 broadcast 216.240.41.63 > :> inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 > :> inet 216.240.41.21 netmask 0xffffffff broadcast 216.240.41.21 > : > :That's what I said.. However, I would never use the above setup if > :it's supposed to be secure. Anyone with access to a machine in the > :41.1-41.62 range would be able to sniff the 10-net, which would not > :like. (maybe your setup allows for this, but I wouldn't mind the cost > :of a $6 el-cheapo NIC and a crosscable to get more secure, it's even > :cheaper than the time spend typing this mail ;-) ). > > Uhh. I don't see how this can possibly make things more secure. If > the machine needs to be on both nets and someone breaks root on it, > having a second NIC isn't going to save you. Physical access to any hub or socket on the same segment, as is quite possible in many office-setups or with many different local users managing there own servers. > :But in the case of two physical interfaces on the same (physical) > :segment, you get ARP errors. With aliases, you don't. > : > :Regards, > : > :Paul > > ARP errors? Only if you try to configure the same IP address on > the two interfaces. > > xl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > options=3D3<rxcsum,txcsum> > > inet 200.x.x.72 netmask 0xffffffc0 broadcast 200.x.x.127 > > inet 200.x.x.90 netmask 0xffffffc0 broadcast 200.x.x.127 > > inet 200.x.x.91 netmask 0xffffffc0 broadcast 200.x.x.127 > > ether 00:10:4b:c5:2e:1c > > media: Ethernet autoselect (100baseTX <full-duplex>) > > > > xl1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > inet 200.y.y.132 netmask 0xfffffc0 broadcast 200.y.y.191 > > ether 00:60:97:dd:f0:b8 > > media: Ethernet autoselect (10baseT/UTP <full-duplex>) > > > > arp: 200.y.y.130 is on xl1 but got reply from 00:b0:64:08:36:60 on xl0 > > arp: 200.x.x.72 is on lo0 but got reply from 00:10:4b:c5:2e:1c on xl1 > > > > What's the problem ?? > > > It means just that: and arp reply for some address in the 200.y.y.0 > subnet > (xl1 subnet) arrived on xl1 and vice-versa. > > Are both NICs connected to the same physical LAN, by chance? (copied from questions, not my answer, but still also my experience when installing my home-firewall, having both NIC's temporarily connected to the same switch, bypassing the firewall) > -Matt > Matthew Dillon > <dillon@backplane.com> Regards, Paul --UlVJffcvxoiEqYs2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021010010957.GB4639>