From owner-freebsd-questions Wed Nov 27 13: 8:45 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A820237B401 for ; Wed, 27 Nov 2002 13:08:43 -0800 (PST) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id C097743EC5 for ; Wed, 27 Nov 2002 13:08:38 -0800 (PST) (envelope-from kdk@daleco.biz) Received: from DaleCoportable [12.145.236.17] by mail.gbronline.com (SMTPD32-7.13) id A3C474C0108; Wed, 27 Nov 2002 15:06:12 -0600 Message-ID: <029101c29658$e8a151d0$fa00a8c0@DaleCoportable> From: "Kevin D. Kinsey, DaleCo, S.P." To: "Mark" , Cc: References: <1038427514.2997.22.camel@donburi> Subject: Re: ARP flood = Firewall locks up??? Date: Wed, 27 Nov 2002 15:06:50 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG From: "Mark" To: Subject: ARP flood = Firewall locks up??? > Hi! > > Not being a terribly monstrous expert with FreeBSD firewalls, I was > quite relieved when I managed to get my FreeBSD 4.3 machine up and > running with a "simple" firewall and NAT for my subnet to my local cable > modem provider. > > The firewall configuration was, indeed, the pure 'simple', with a > couple of extra rules to allow DNS (udp to and from 53). > > Now, the problem is, about three weeks ago, I started seeing a FLOOD > of ARP messages on xl0, my interface to the internet over the cable > modem. They are mostly of the nature: > > Questions: > > 1. Any ideas what this ARP flood is? Is it some tool the ISP is > using or something? > Looks like common DNS traffic, up to a point. It is quite a bit, I suppose, since your log excerpt is just a few seconds worth. Is this a firewall log we're looking at, or a tcpdump? If you use 'tcpdump' on the WAN if, you're getting your neighbors packets also, right? You mention not being able to get more info....check most of the files in /var/log...anything showing up on the console, or it that directed to a text log.....? What services are you running on your own subnet...I don't find a DNS server there.... I wonder about the 10.x.x.x addy....something wrong in someone's config, perhaps... > 2. Any idea what's up with the firewall? Why would it be locking > up? I must confess to being a bit of a firewall newbie, so i'm not 100% > sure how to go about getting it to give me more information, logging, > etc ... I might just upgrade to 4.7 and see what happens, but I'd > rather understand this first .... > I'm newb also, but are we sure it's just the firewall? If you're rebooting to fix the problem, you're resetting more than just the FW..... > Any suggestions would be appreciated... > > Thanks, > mark. That's about all I've done, suggested... G'luck, Kevin Kinsey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message