From owner-freebsd-questions Wed Nov 27 12: 5:27 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEB1537B401 for ; Wed, 27 Nov 2002 12:05:23 -0800 (PST) Received: from akira.lanfear.com (akira.lanfear.com [216.168.61.84]) by mx1.FreeBSD.org (Postfix) with SMTP id 4035943E88 for ; Wed, 27 Nov 2002 12:05:23 -0800 (PST) (envelope-from mw@lanfear.com) Received: (qmail 72284 invoked from network); 27 Nov 2002 20:05:12 -0000 Received: from localhost.lanfear.com (HELO localhost) (127.0.0.1) by localhost.lanfear.com with SMTP; 27 Nov 2002 20:05:12 -0000 Subject: ARP flood = Firewall locks up??? From: Mark To: freebsd-questions@freebsd.org Cc: mw@lanfear.com Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 27 Nov 2002 12:05:14 -0800 Message-Id: <1038427514.2997.22.camel@donburi> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! Not being a terribly monstrous expert with FreeBSD firewalls, I was quite relieved when I managed to get my FreeBSD 4.3 machine up and running with a "simple" firewall and NAT for my subnet to my local cable modem provider. The firewall configuration was, indeed, the pure 'simple', with a couple of extra rules to allow DNS (udp to and from 53). Now, the problem is, about three weeks ago, I started seeing a FLOOD of ARP messages on xl0, my interface to the internet over the cable modem. They are mostly of the nature: 11:45:43.957332 arp who-has 12-228-5-117.client.attbi.com tell 12-228-0-1.client.attbi.com11:45:44.041211 arp who-has 24-41-43-3.attbi.cable.earthlink.net tell 24-41-43-1.attbi.cable.earthlink.net 11:45:44.054945 arp who-has 12-228-13-250.client.attbi.com tell 12-228-12-1.client.attbi.com 11:45:44.286922 arp who-has 12-228-13-19.client.attbi.com tell 12-228-12-1.client.attbi.com 11:45:44.301048 arp who-has 12-228-8-255.client.attbi.com tell 12-228-8-1.client.attbi.com 11:45:44.950060 arp who-has 12-228-116-206.client.attbi.com tell 12-228-116-1.client.attbi.com 11:45:45.161916 arp who-has 12-228-117-80.client.attbi.com tell 12-228-116-1.client.attbi.com 11:45:45.262087 arp who-has 12-228-6-168.client.attbi.com tell 12-228-0-1.client.attbi.com 11:45:45.326111 arp who-has 10.111.149.5 tell 10.111.148.1 11:45:45.393260 arp who-has 12-228-5-28.client.attbi.com tell 12-228-0-1.client.attbi.com 11:45:45.418636 arp who-has 12-228-4-225.client.attbi.com tell 12-228-0-1.client.attbi.com 11:45:45.420402 arp who-has 10.134.74.97 tell 10.134.64.1 11:45:45.478295 arp who-has 10.134.78.125 tell 10.134.64.1 I also see a lot of: 11:45:47.290518 12-228-xxx-yyy.client.attbi.com.glogger > ns1.attbi.com.domain: 60392+ PTR? 175.71.134.10.in-addr.arpa. (44) 11:45:47.325525 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.glogger: 60392 NXDomain* 0/1/0 (112) (DF) 11:45:47.326433 12-228-xxx-yyy.client.attbi.com.scoremgr > ns1.attbi.com.domain: 60393+ PTR? 35.106.46.207.in-addr.arpa. (44) 11:45:47.381075 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.scoremgr: 60393* 1/0/0 (84) (DF) 11:45:47.382676 12-228-xxx-yyy.client.attbi.com.imsldoc > ns1.attbi.com.domain: 60394+ PTR? 168.6.228.12.in-addr.arpa. (43) 11:45:47.418767 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.imsldoc: 60394* 1/2/2 (154) (DF) 11:45:47.420016 12-228-xxx-yyy.client.attbi.com.2036 > ns1.attbi.com.domain: 60395+ PTR? 28.5.228.12.in-addr.arpa. (42) 11:45:47.456806 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.2036: 60395* 1/2/2 PTR . (152) (DF) 11:45:47.458064 12-228-xxx-yyy.client.attbi.com.2037 > ns1.attbi.com.domain: 60396+ PTR? 85.67.134.10.in-addr.arpa. (43) 11:45:47.492268 ns1.attbi.com.domain > 12-228-xxx-yyy.client.attbi.com.2037: 60396 NXDomain* 0/1/0 (111) (DF) This is fine, although a bit wonky, but then all of a sudden, the FreeBSD server would stop forwarding packets to the internet after about 6 hours. It would slow down visibly after 4, and simply be dead after six. Rebooting would solve the problem, but then then would be lockup in another 6 hours or so. Setting the firewall to "open" fixes the problem, but obviously not in a good way :-( Questions: 1. Any ideas what this ARP flood is? Is it some tool the ISP is using or something? 2. Any idea what's up with the firewall? Why would it be locking up? I must confess to being a bit of a firewall newbie, so i'm not 100% sure how to go about getting it to give me more information, logging, etc ... I might just upgrade to 4.7 and see what happens, but I'd rather understand this first .... Any suggestions would be appreciated... Thanks, mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message