Date: Sun, 23 Apr 2000 13:09:25 -0400 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: miy <miyako@sakr.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: network replies causing system messages flooding Message-ID: <20000423130924.C70371@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <Pine.BSF.4.10.10004202348450.7175-100000@sakr.net>; from miyako@sakr.net on Fri, Apr 21, 2000 at 12:04:06AM -0400 References: <20000419230149.B59041@cc942873-a.ewndsr1.nj.home.com> <Pine.BSF.4.10.10004202348450.7175-100000@sakr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 21, 2000 at 12:04:06AM -0400, miy wrote: > > > On Wed, 19 Apr 2000, Crist J. Clark wrote: > > > On Wed, Apr 19, 2000 at 01:20:49PM -0400, miy wrote: > > > > > > > > > On Mon, 17 Apr 2000, Crist J. Clark wrote: > > > > > > > On Mon, Apr 17, 2000 at 06:56:47PM -0400, miy wrote: > > > > > On Sun, 16 Apr 2000, Crist J. Clark wrote: > > > > > > On Sun, Apr 16, 2000 at 01:22:06AM -0400, miy wrote: > > > > > > > > > > > > > > I originally had a windows box [10.0.0.2] connected to my cable connection > > > > > > > through a FreeBSD gateway running natd. I recently added a second windows > > > > > > > box to the network, and I it connects properly to the gateway, but I am > > > > > > > getting flooded by the following system message: > > > > > > > > > > > > > > arp: 10.0.0.4 is on ed1 but got reply from 00:80:c8:e8:ea:d7 on rl0 > > > > > > > arp: 10.0.0.4 is on ed1 but got reply from 00:80:c8:e8:ea:d7 on rl0 > > > > > > > arp: 10.0.0.4 is on ed1 but got reply from 00:80:c8:e8:ea:d7 on rl0 > > > > > > > arp: 10.0.0.4 is on ed1 but got reply from 00:80:c8:e8:ea:d7 on rl0 > > > > [snip] > > > > > this is the output of ifconfig: > > > > > > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > inet6 fe80::2e0:29ff:fe54:a201%rl0 prefixlen 64 scopeid 0x1 > > > inet 24.114.39.136 netmask 0xfffffc00 broadcast 24.114.39.255 > > > ether 00:e0:29:54:a2:01 > > > > Not here. > > > > > media: autoselect (none) status: active > > > supported media: autoselect 100baseTX <full-duplex> 100baseTX > > > 10baseT/UT > > > P <full-duplex> 10baseT/UTP 100baseTX <hw-loopback> > > > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > > > ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > > > inet6 fe80::240:5ff:fe71:498c%ed1 prefixlen 64 scopeid 0x3 > > > ether 00:40:05:71:49:8c > > > > Not here. > > > > > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 > > > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 > > > inet6 ::1 prefixlen 128 > > > inet 127.0.0.1 netmask 0xffffff00 > > > gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > > > inet6 fe80::2e0:29ff:fe54:a201%gif0 prefixlen 64 scopeid 0x7 > > > > > > and the output of arp -a is: > > > > > > sakr.net (10.0.0.1) at 0:40:5:71:49:8c permanent [ethernet] > > > > Not here. > > > > > ? (10.0.0.2) at 0:80:c6:f9:a5:55 [ethernet] > > > > Not here. > > > > > ? (10.0.0.4) at 0:e0:29:54:9f:a6 [ethernet] > > > bb1-fe1-1.ym1.on.home.net (24.114.36.1) at 0:60:5c:76:5b:21 [ethernet] > > > > Not here. > > > > > The associated hardware seems to be my network card on the windows box > > > (10.0.0.2), although these messages were not occuring when I was connected > > > to the HUB alone on the network. Every since I added the other machine the > > > sys logs have been displaying the same errors. > > > > That MAC address in the messages does not seem to belong to any of > > your hardware. That would normally lead me to believe that the > > 10.0.0.4 address is leaking onto the net from someone else's > > setup. However, if it is coming over the cable modem, I would expect > > the MAC address to be that of your modem. I thought that's how cable > > modem's bridged and that's how mine works. Could you try this, > > > > # tcpdump -en 'ether proto \arp || host 10.0.0.4' > > > > And save the output. It might be interesting. > > > The output following output scrolls continuously when I run: > > tcpdump -en 'ether proto \arp || host 10.0.0.4' > > tcpdump: listening on rl0 > 23:59:59.625354 0:0:ca:7:54:22 ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 24.112.36.1 tell 10.3.8.60 > 23:59:59.647484 0:60:5c:76:5b:21 ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 24.112.38.237 tell 24.112.36.1 > 23:59:59.670812 0:0:ca:f:0:ae ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 24.112.36.1 tell 10.3.7.222 > 23:59:59.707370 0:0:ca:e:d7:aa ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 24.112.36.1 tell 10.3.3.97 > 23:59:59.733358 0:20:a6:38:98:a3 ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 24.112.34.1 tell 24.112.35.181 > 23:59:59.744298 0:0:b4:a2:1f:9c ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 24.112.192.128 tell 24.112.193.231 > 23:59:59.754466 0:80:c6:f9:af:e ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 24.112.36.1 tell 24.112.36.203 > 23:59:59.831735 0:60:97:99:ff:5e ff:ff:ff:ff:ff:ff 0806 60: arp who-has > 24.114.0.1 tell 24.114.3.205 > > It seems that addresses such as 10.3.8.60 point to machines on the @home > network in the York Mills area (my district). Is this traffic caused by a > machine at my server's end in which case the provider is the cause, or is > this traffic from another machine on my subnet? I am at a loss. Whatever > the cause, is there any way I can configure the system to filter them? I am not aware of a way to tell if these are being used by your provider or another user on your network. I would suggest you talk to your provider. If someone is leaking 10-net numbers, it is not a Good Thing. As for a solution, I am not aware of a way to "filter" packets at the ARP level. However, you may be able to get away with turning off ARP on the outer interface. Your public NIC only ever talks to the router, so you can make that a permanent entry in your ARP table. But the problem is that if the router "forgets" your MAC... That would seriously break things. Sorry I can't be more help. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000423130924.C70371>