From owner-freebsd-questions Wed Nov 27 14:58: 7 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70C0737B401 for ; Wed, 27 Nov 2002 14:58:03 -0800 (PST) Received: from mx4.magma.ca (mx4.magma.ca [206.191.0.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id A405543EAF for ; Wed, 27 Nov 2002 14:58:02 -0800 (PST) (envelope-from liquid@liquidonline.ca) Received: from mail6.magma.ca (mail6 [206.191.0.248]) by mx4.magma.ca (Magma's Mail Server) with ESMTP id gARMvobt031177; Wed, 27 Nov 2002 17:57:51 -0500 Received: from windows (montreal-hs-64-26-155-234.s-ip.magma.ca [64.26.155.234]) by mail6.magma.ca (Magma's Mail Server) with ESMTP id gARMvnRZ021723; Wed, 27 Nov 2002 17:57:49 -0500 (EST) From: "Liquid" To: "'Kevin D. Kinsey, DaleCo, S.P.'" Cc: , Subject: RE: ARP flood = Firewall locks up??? Date: Wed, 27 Nov 2002 17:57:53 -0500 Message-ID: <000a01c29668$6b752640$6400a8c0@windows> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <029101c29658$e8a151d0$fa00a8c0@DaleCoportable> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG That 10.0.whatever crap is from your modem. When I had a box running on cable, I'd see a horrific amount of that crap in my logs. It never caused my firewall to stop working mind you. Mine, for instance was 10.0.80.31 - which, it appears, was my modem's "IP address" although I do not recall seeing it in traceroutes (this was several years ago, so don't take my word for it - best thing to do is to check your traceroute to say... yahoo.com and see what comes up as first gateway). Why this is so? I can't answer that. My present adsl modem has a fixed IP, specifically to telnet to in the event I want to use it as a router - I haven't logged the interface because I know firewall tun0, but I'd bet I'd see a lot of junk on the NIC interface acting as the pppoe transport if I'd log it... Are you assigned a static IP or is it dhcp? I used to get an arp msg and stuff when someone was mistakenly typing my IP as his static IP, a typo caused both of us to share the IP - except that obviously didn't work out quite nicely. I was being assigned the IP via DHCP - and their dhcp server kept giving me xx.yy.ab.ab and the guy's static IP was xx.yy.ab.ba... u can see where he made his typo Just something to think about... > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd- > questions@FreeBSD.ORG] On Behalf Of Kevin D. Kinsey, DaleCo, S.P. > Sent: November 27, 2002 4:07 PM > To: Mark; freebsd-questions@FreeBSD.ORG > Cc: mw@lanfear.com > Subject: Re: ARP flood =3D Firewall locks up??? >=20 > From: "Mark" > To: > Subject: ARP flood =3D Firewall locks up??? >=20 >=20 > > Hi! > > > > Not being a terribly monstrous expert with FreeBSD firewalls, I > was > > quite relieved when I managed to get my FreeBSD 4.3 machine up and > > running with a "simple" firewall and NAT for my subnet to my local > cable > > modem provider. > > > > The firewall configuration was, indeed, the pure 'simple', with > a > > couple of extra rules to allow DNS (udp to and from 53). > > > > Now, the problem is, about three weeks ago, I started seeing a > FLOOD > > of ARP messages on xl0, my interface to the internet over the cable > > modem. They are mostly of the nature: > > > >=20 > > Questions: > > > > 1. Any ideas what this ARP flood is? Is it some tool the ISP is > > using or something? > > > Looks like common DNS traffic, up to a point. It is quite a bit, > I suppose, since your log excerpt is just a few seconds worth. >=20 > Is this a firewall log we're looking at, or a tcpdump? If you use > 'tcpdump' on the WAN if, you're getting your neighbors packets > also, right? You mention not being able to get more info....check > most of the > files in /var/log...anything showing up on the console, or it that > directed to a text log.....? >=20 > What services are you running on your own subnet...I don't > find a DNS server there.... >=20 > I wonder about the 10.x.x.x addy....something wrong > in someone's config, perhaps... >=20 > > 2. Any idea what's up with the firewall? Why would it be > locking > > up? I must confess to being a bit of a firewall newbie, so i'm not > 100% > > sure how to go about getting it to give me more information, > logging, > > etc ... I might just upgrade to 4.7 and see what happens, but I'd > > rather understand this first .... > > > I'm newb also, but are we sure it's just the firewall? If you're > rebooting to fix the problem, you're resetting more than just > the FW..... >=20 >=20 > > Any suggestions would be appreciated... > > > > Thanks, > > mark. >=20 > That's about all I've done, suggested... >=20 > G'luck, Kevin Kinsey >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message