Date: Thu, 11 Feb 2010 09:28:51 -0500 (EST) From: James Smallacombe <up@3.am> To: freebsd-questions@freebsd.org Subject: Re: yikes! MAC address of default gateway changed ?? Message-ID: <alpine.BSF.2.00.1002110920370.95175@mail.pil.net> In-Reply-To: <alpine.BSF.2.00.1002110918180.95175@mail.pil.net> References: <alpine.BSF.2.00.1002102226470.19792@mail.pil.net> <alpine.BSF.2.00.1002102313420.43691@mail.pil.net> <alpine.BSF.2.00.1002110544080.50734@mail.pil.net> <4B73EC31.6030209@black-earth.co.uk> <alpine.BSF.2.00.1002110918180.95175@mail.pil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi: Please reply-all ; I am not subscribed On Thu, 11 Feb 2010, Vince Hoffman wrote: > >> On 11/02/2010 11:00, James Smallacombe wrote: >>> Sorry for replying to myself (AND top-posting!) twice in a row, but this >>> is become a huge concern. My first thought is that my provider changed >>> routers or router Ethernet ports, hence the MAC address change. They >>> deny this, plus I find the two MAC addresses: >>> >>> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0 > > On 11/02/2010 11:00, James Smallacombe wrote: >> >> Sorry for replying to myself (AND top-posting!) twice in a row, but >> this is become a huge concern. My first thought is that my provider >> changed routers or router Ethernet ports, hence the MAC address >> change. They deny this, plus I find the two MAC addresses: >> >> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0 >> > However in your case, while 00:17:E0 is reasonable (a cisco mac address) > 00:13:E0 is a little worrying as apparently its a Murata > Manufacturing(whoever they are) mac address (see > http://www.coffer.com/mac_find/?string=00%3A13%3Ae0%3A4f%3Ab9%3Ac0) Well, that rules out anything by the provider. > you can check if its a static entry in your arp tables using > arp -a | grep permanent > The only permanent entries should be your local IPs (whatever you have > configured on your interfaces) unless you have any others you have put > in yourself. > so for my server i have > root@seaurchin ~]# arp -a | grep permanent > seaurchin.the.namesco.net (85.233.xxx.xxx) at 00:11:43:d8:2c:df on em0 > permanent [ethernet] > ? (10.20.0.3) at 00:11:43:d8:2c:df on em0 permanent [ethernet] Obviously the ARP entry is long gone now and I don't recall if it was permanent or not. It just leaves a couple of questions: If it was caused by a malicious arp command on my server, wouldn't a reboot have gotten rid of it? Would it also result in a "NO CARRIER" on the interface? Network did not come back until the Ethernet card was swapped. The bottom line is whether it is possible for a NIC failure to cause the kernel to register an ARP change. Thanks again to everyone... James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1002110920370.95175>