From owner-freebsd-questions@FreeBSD.ORG Mon Mar 17 09:59:26 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBA74106566B for ; Mon, 17 Mar 2008 09:59:26 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 834A98FC1A for ; Mon, 17 Mar 2008 09:59:26 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDSK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id m2H9xO86001986; Mon, 17 Mar 2008 02:59:25 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Modulok" , "Brent Jones" Date: Mon, 17 Mar 2008 02:00:49 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914 In-Reply-To: <64c038660803170229u22644782kc53ad049c081d364@mail.gmail.com> Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.freebsd-corp-net-guide.com [65.75.192.90]); Mon, 17 Mar 2008 02:59:26 -0700 (PDT) Cc: freebsd-questions@freebsd.org Subject: RE: ARP(4) spoofing? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 09:59:27 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Modulok > Sent: Monday, March 17, 2008 1:29 AM > To: Brent Jones > Cc: freebsd-questions@freebsd.org > Subject: Re: ARP(4) spoofing? > > > > > Would this be ARP(4) spoofing, or is it just me? How would I > > > confirm it? > > > > > > arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 > > > This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) > > > is LAN facing and permanent entry in the arp cache. This happens > > > constantly and is slowly filling my log files. > > > What does an "ifconfig -a" on your machine show? It looks like you've > > configured your loopback interface to also have 192.168.1.1 > > [-]Modulok> ifconfig -au inet > em0: flags=8843 mtu 1500 > options=b > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > em1: flags=8843 mtu 1500 > options=b > inet 66.x.x.x netmask 0xffffff80 broadcast 66.x.x.255 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > Just for fun, the entry in the arp cache: > > [-]Modulok> arp -an | grep 192.168.1.1 > ? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet] > > Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:) > "Physical connections exist to the same logical IP network on both if0 and > if1." > > Doubtful: LAN---em0[FreeBSD]em1---modem---Internet > > "an entry already exists in the ARP cache ... and the cable has been > disconnected from if0, then reconnected to if1." > > Nope. > > "This message can only be issued if the sysctl > net.link.ether.inet.log_arp_wrong_iface is set to 1" > > While I could set the relevant sysctl variable to prevent it from > being logged, (which I'll probably end up doing) when strange things > happen, I usually like to know about them. > > Disable the dynamic ARP cache on the external interface and make > permanent entries to the ISP's gateway and DNS servers? Perhaps. > However, in the event they ever change hardware (and fail to spoof > their previous ethernet address), I'd have to manually edit the ARP > cache...at 3:00am...on a Sunday. Plus these ARP replies, while > annoying, are not really harming anything as FreeBSD's ARP appears to > prevent address takeover via gratuitous, un-solicited, impersonating > ARP replies. > > Come to think of it, that might be it. I haven't looked into whether > or not these are replies triggered by requests from the local host (If > only I knew a way to do such a thing.) Logic initially rejects the > notion. As why would this box be sending out a gratuitous ARP request > every 10 minutes through the wrong interface for the given address? > You should have anti-spoofing firewall entries in any internet router, check your ipfw entries. I suspect the problem has to do with a misconfiguration of your nat, frankly. The error message itself: arp: X.X.X.X is on lo0 is nonsensical, because by definition the loopback (lo0) is not connected to any network. Under correct configuration, a loopback cannot receive an arp. The internal loopback address is exactly equivalent to a physical ethernet interface that has a loopback plug inserted into it. I suspect your nat config is overloading on the looback rather than on the physical interface. Ted