Date: Thu, 18 Jul 2002 14:04:07 -0600 From: "Duncan Patton a Campbell is Dhu" <campbell@neotext.ca> To: freebsd-security@FreeBSD.ORG Subject: RE: wierdness in my security report Message-ID: <20020718200407.M28012@babayaga.neotext.ca> In-Reply-To: <LJEFLBLMLGPNAJOOKOHLAEJOCDAA.j.laurenson@epicmail.ca> References: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> <LJEFLBLMLGPNAJOOKOHLAEJOCDAA.j.laurenson@epicmail.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I've had something that looked like this. Is it possible that
your isp
maintains an IP <-> MAC (ethernet) mapping somewhere? What
is happening is that 12.236.220.1 is moving from one ethernet
address/card to another (and back).
I guess their router claims 12.236.220.1 is attached to it,
while you also have a ethernet card
in the Box 12.236.220.1 that is arping out
in complete disagreement.
IFF you are using static (unless you have some reason for it ;-)
routing you should switch to DHCP and a setup that requests a
specific IP.
edit this for your /etc/dhclient.conf:
#Change this to your ethercards device name
interface "ed0"
{
#Add hostname
send host-name "your.host.na";
#Get your ethercard's devicename from ifconfig -a and put it
here:
send dhcp-client-identifier hh:hh:hh:hh:hh:hh ;
send dhcp-lease-time 36000;
#Put all forms of your machine's name
supersede domain-name "your.host.na www.host.ca
host.na";
#IF and onle IF you are running a DNS
# prepend domain-name-servers 127.0.0.1;
request subnet-mask, broadcast-address,
time-offset, routers;
require subnet-mask, domain-name-servers;
script "/sbin/dhclient-script";
media "media 10baseT/UTP";
}
This will permit DHCP to negotiate the underprotocols for
ethernet
mapping (arp >< rarp etc.) so you won't see all that noise in
your messages log.
Duncan Patton a Campbell is Duibh ;-)
---------- Original Message -----------
From: "Jim Laurenson" <j.laurenson@epicmail.ca>
To: "Kevin Kinsey, DaleCo, S.P." <kdk@daleco.biz>, "Craig
Miller" <craig@millerfam.net>, "freebsd-security"
<freebsd-security@FreeBSD.ORG>
Sent: Thu, 18 Jul 2002 12:47:08 -0600
Subject: RE: wierdness in my security report
> My setup included multiple machines (2 of them, one
> running 4.3 and ht eother running 4.4, both getting
> the error listed below) connected through a Docsis
> modem. These errors started just after the systems
> were built. After one of the systems became redundant
> I removed it from the network and the errors
> disappeared from the other system. Yet neither of the
> systems error messages were mentioning the other, just
> the MAC address of the Cisco router on my ISPs side.
>
> Jim Laurenson
>
> -----Original Message-----
> From: Kevin Kinsey, DaleCo, S.P.
> [mailto:kdk@daleco.biz] Sent: July 18, 2002 12:14 PM
> To: Jim Laurenson; Craig Miller; freebsd-security
> Subject: Re: wierdness in my security report
>
> Somebody, somewhere, changed something that changed a route
> your kernel had established. How many machines in
> your LAN? What are the chances one has a new NIC?
>
> KDK
>
> ----- Original Message -----
> From: Jim Laurenson
> To: Craig Miller ; freebsd-security
> Sent: Thursday, July 18, 2002 12:53 PM
> Subject: RE: wierdness in my security report
>
> I have found the same logs on one of my older builds
> (4.3 I think). The offending MAC address was found to
> be a Cisco router on my ISP's network. I found no
> solution for it though.
>
> Jim Laurenson
> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf
> Of Craig Miller Sent: July 18, 2002 11:47 AM To:
> freebsd-security Subject: wierdness in my security report
>
> Anyone have any ideas as to what might be causing the
> following to appear in my security report?
>
> arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to
> 00:b0:64:b7:6f:a8 on dc0
> > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from
> 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0
> > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to
00:b0:64:b7:6f:54 on dc0
> > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from
> 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0
>
> I thought those : delimited fields would be MAC
> addresses, but they don't match the MAC addresses of
> either of the two cards in my free-bsd box. I have
> not checked the MAC addresses of the other network
> cards on my network.
>
> Also, where does the "server /kernel" name come from.
> "kernel" is not the name I gave my kernel, so I am suspicious.
>
> Thanks,
>
> --Craig
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the
> message
------- End of Original Message -------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020718200407.M28012>