Date: 27 Nov 2002 12:05:14 -0800 From: Mark <mw@lanfear.com> To: freebsd-questions@freebsd.org Cc: mw@lanfear.com Subject: ARP flood = Firewall locks up??? Message-ID: <1038427514.2997.22.camel@donburi>
next in thread | raw e-mail | index | archive | help
Hi! Not being a terribly monstrous expert with FreeBSD firewalls, I was quite relieved when I managed to get my FreeBSD 4.3 machine up and running with a "simple" firewall and NAT for my subnet to my local cable modem provider. The firewall configuration was, indeed, the pure 'simple', with a couple of extra rules to allow DNS (udp to and from 53). Now, the problem is, about three weeks ago, I started seeing a FLOOD of ARP messages on xl0, my interface to the internet over the cable modem. They are mostly of the nature: 11:45:43.957332 arp who-has 12-228-5-117.client.attbi.com tell 12-228-0-1.client.attbi.com11:45:44.041211 arp who-has 24-41-43-3.attbi.cable.earthlink.net tell 24-41-43-1.attbi.cable.earthlink.net 11:45:44.054945 arp who-has 12-228-13-250.client.attbi.com tell 12-228-12-1.client.attbi.com 11:45:44.286922 arp who-has 12-228-13-19.client.attbi.com tell 12-228-12-1.client.attbi.com 11:45:44.301048 arp who-has 12-228-8-255.client.attbi.com tell 12-228-8-1.client.attbi.com 11:45:44.950060 arp who-has 12-228-116-206.client.attbi.com tell 12-228-116-1.client.attbi.com 11:45:45.161916 arp who-has 12-228-117-80.client.attbi.com tell 12-228-116-1.client.attbi.com 11:45:45.262087 arp who-has 12-228-6-168.client.attbi.com tell 12-228-0-1.client.attbi.com 11:45:45.326111 arp who-has 10.111.149.5 tell 10.111.148.1 11:45:45.393260 arp who-has 12-228-5-28.client.attbi.com tell 12-228-0-1.client.attbi.com 11:45:45.418636 arp who-has 12-228-4-225.client.attbi.com tell 12-228-0-1.client.attbi.com 11:45:45.420402 arp who-has 10.134.74.97 tell 10.134.64.1 11:45:45.478295 arp who-has 10.134.78.125 tell 10.134.64.1 I also see a lot of: 11:45:47.290518 12-228-xxx-yyy.client.attbi.com.glogger > ns1.attbi.com.domain: 60392+ PTR? 175.71.134.10.in-addr.arpa. (44) 11:45:47.325525 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.glogger: 60392 NXDomain* 0/1/0 (112) (DF) 11:45:47.326433 12-228-xxx-yyy.client.attbi.com.scoremgr > ns1.attbi.com.domain: 60393+ PTR? 35.106.46.207.in-addr.arpa. (44) 11:45:47.381075 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.scoremgr: 60393* 1/0/0 (84) (DF) 11:45:47.382676 12-228-xxx-yyy.client.attbi.com.imsldoc > ns1.attbi.com.domain: 60394+ PTR? 168.6.228.12.in-addr.arpa. (43) 11:45:47.418767 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.imsldoc: 60394* 1/2/2 (154) (DF) 11:45:47.420016 12-228-xxx-yyy.client.attbi.com.2036 > ns1.attbi.com.domain: 60395+ PTR? 28.5.228.12.in-addr.arpa. (42) 11:45:47.456806 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.2036: 60395* 1/2/2 PTR . (152) (DF) 11:45:47.458064 12-228-xxx-yyy.client.attbi.com.2037 > ns1.attbi.com.domain: 60396+ PTR? 85.67.134.10.in-addr.arpa. (43) 11:45:47.492268 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.2037: 60396 NXDomain* 0/1/0 (111) (DF) This is fine, although a bit wonky, but then all of a sudden, the FreeBSD server would stop forwarding packets to the internet after about 6 hours. It would slow down visibly after 4, and simply be dead after six. Rebooting would solve the problem, but then then would be lockup in another 6 hours or so. Setting the firewall to "open" fixes the problem, but obviously not in a good way :-( Questions: 1. Any ideas what this ARP flood is? Is it some tool the ISP is using or something? 2. Any idea what's up with the firewall? Why would it be locking up? I must confess to being a bit of a firewall newbie, so i'm not 100% sure how to go about getting it to give me more information, logging, etc ... I might just upgrade to 4.7 and see what happens, but I'd rather understand this first .... Any suggestions would be appreciated... Thanks, mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1038427514.2997.22.camel>