Date: Wed, 27 Nov 2002 17:57:53 -0500 From: "Liquid" <liquid@liquidonline.ca> To: "'Kevin D. Kinsey, DaleCo, S.P.'" <kdk@daleco.biz> Cc: <freebsd-questions@FreeBSD.ORG>, <mw@lanfear.com> Subject: RE: ARP flood = Firewall locks up??? Message-ID: <000a01c29668$6b752640$6400a8c0@windows> In-Reply-To: <029101c29658$e8a151d0$fa00a8c0@DaleCoportable>
next in thread | previous in thread | raw e-mail | index | archive | help
That 10.0.whatever crap is from your modem. When I had a box running on cable, I'd see a horrific amount of that crap in my logs. It never caused my firewall to stop working mind you. Mine, for instance was 10.0.80.31 - which, it appears, was my modem's "IP address" although I do not recall seeing it in traceroutes (this was several years ago, so don't take my word for it - best thing to do is to check your traceroute to say... yahoo.com and see what comes up as first gateway). Why this is so? I can't answer that. My present adsl modem has a fixed IP, specifically to telnet to in the event I want to use it as a router - I haven't logged the interface because I know firewall tun0, but I'd bet I'd see a lot of junk on the NIC interface acting as the pppoe transport if I'd log it... Are you assigned a static IP or is it dhcp? I used to get an arp msg and stuff when someone was mistakenly typing my IP as his static IP, a typo caused both of us to share the IP - except that obviously didn't work out quite nicely. I was being assigned the IP via DHCP - and their dhcp server kept giving me xx.yy.ab.ab and the guy's static IP was xx.yy.ab.ba... u can see where he made his typo Just something to think about... > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd- > questions@FreeBSD.ORG] On Behalf Of Kevin D. Kinsey, DaleCo, S.P. > Sent: November 27, 2002 4:07 PM > To: Mark; freebsd-questions@FreeBSD.ORG > Cc: mw@lanfear.com > Subject: Re: ARP flood =3D Firewall locks up??? >=20 > From: "Mark" <mw@lanfear.com> > To: <freebsd-questions@FreeBSD.ORG> > Subject: ARP flood =3D Firewall locks up??? >=20 >=20 > > Hi! > > > > Not being a terribly monstrous expert with FreeBSD firewalls, I > was > > quite relieved when I managed to get my FreeBSD 4.3 machine up and > > running with a "simple" firewall and NAT for my subnet to my local > cable > > modem provider. > > > > The firewall configuration was, indeed, the pure 'simple', with > a > > couple of extra rules to allow DNS (udp to and from 53). > > > > Now, the problem is, about three weeks ago, I started seeing a > FLOOD > > of ARP messages on xl0, my interface to the internet over the cable > > modem. They are mostly of the nature: > > > <snip> >=20 > > Questions: > > > > 1. Any ideas what this ARP flood is? Is it some tool the ISP is > > using or something? > > > Looks like common DNS traffic, up to a point. It is quite a bit, > I suppose, since your log excerpt is just a few seconds worth. >=20 > Is this a firewall log we're looking at, or a tcpdump? If you use > 'tcpdump' on the WAN if, you're getting your neighbors packets > also, right? You mention not being able to get more info....check > most of the > files in /var/log...anything showing up on the console, or it that > directed to a text log.....? >=20 > What services are you running on your own subnet...I don't > find a DNS server there.... >=20 > I wonder about the 10.x.x.x addy....something wrong > in someone's config, perhaps<?>... >=20 > > 2. Any idea what's up with the firewall? Why would it be > locking > > up? I must confess to being a bit of a firewall newbie, so i'm not > 100% > > sure how to go about getting it to give me more information, > logging, > > etc ... I might just upgrade to 4.7 and see what happens, but I'd > > rather understand this first .... > > > I'm newb also, but are we sure it's just the firewall? If you're > rebooting to fix the problem, you're resetting more than just > the FW..... >=20 >=20 > > Any suggestions would be appreciated... > > > > Thanks, > > mark. >=20 > That's about all I've done, suggested... >=20 > G'luck, Kevin Kinsey >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000a01c29668$6b752640$6400a8c0>