From owner-freebsd-questions@FreeBSD.ORG Thu Feb 11 14:28:58 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43026106566C for ; Thu, 11 Feb 2010 14:28:58 +0000 (UTC) (envelope-from up@3.am) Received: from mail.pil.net (ns3.pil.net [209.17.170.205]) by mx1.freebsd.org (Postfix) with SMTP id 1F40A8FC13 for ; Thu, 11 Feb 2010 14:28:57 +0000 (UTC) Received: (qmail 3536 invoked from network); 11 Feb 2010 09:28:51 -0500 Received: from unknown (HELO localhost) (127.0.0.1) by 0 with SMTP; 11 Feb 2010 09:28:51 -0500 Date: Thu, 11 Feb 2010 09:28:51 -0500 (EST) From: James Smallacombe X-X-Sender: up@mail.pil.net To: freebsd-questions@freebsd.org In-Reply-To: Message-ID: References: <4B73EC31.6030209@black-earth.co.uk> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: Re: yikes! MAC address of default gateway changed ?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2010 14:28:58 -0000 Hi: Please reply-all ; I am not subscribed On Thu, 11 Feb 2010, Vince Hoffman wrote: > >> On 11/02/2010 11:00, James Smallacombe wrote: >>> Sorry for replying to myself (AND top-posting!) twice in a row, but this >>> is become a huge concern. My first thought is that my provider changed >>> routers or router Ethernet ports, hence the MAC address change. They >>> deny this, plus I find the two MAC addresses: >>> >>> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0 > > On 11/02/2010 11:00, James Smallacombe wrote: >> >> Sorry for replying to myself (AND top-posting!) twice in a row, but >> this is become a huge concern. My first thought is that my provider >> changed routers or router Ethernet ports, hence the MAC address >> change. They deny this, plus I find the two MAC addresses: >> >> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0 >> > However in your case, while 00:17:E0 is reasonable (a cisco mac address) > 00:13:E0 is a little worrying as apparently its a Murata > Manufacturing(whoever they are) mac address (see > http://www.coffer.com/mac_find/?string=00%3A13%3Ae0%3A4f%3Ab9%3Ac0) Well, that rules out anything by the provider. > you can check if its a static entry in your arp tables using > arp -a | grep permanent > The only permanent entries should be your local IPs (whatever you have > configured on your interfaces) unless you have any others you have put > in yourself. > so for my server i have > root@seaurchin ~]# arp -a | grep permanent > seaurchin.the.namesco.net (85.233.xxx.xxx) at 00:11:43:d8:2c:df on em0 > permanent [ethernet] > ? (10.20.0.3) at 00:11:43:d8:2c:df on em0 permanent [ethernet] Obviously the ARP entry is long gone now and I don't recall if it was permanent or not. It just leaves a couple of questions: If it was caused by a malicious arp command on my server, wouldn't a reboot have gotten rid of it? Would it also result in a "NO CARRIER" on the interface? Network did not come back until the Ethernet card was swapped. The bottom line is whether it is possible for a NIC failure to cause the kernel to register an ARP change. Thanks again to everyone... James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================