From owner-freebsd-questions Wed Oct 9 18:10: 5 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDE2837B406 for ; Wed, 9 Oct 2002 18:10:00 -0700 (PDT) Received: from devil.tebokkel.com (ptb.xs4all.nl [80.126.6.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C93043E3B for ; Wed, 9 Oct 2002 18:09:59 -0700 (PDT) (envelope-from paul@tebokkel.com) Received: from devil.tebokkel.com (localhost [127.0.0.1]) by devil.tebokkel.com (8.12.6/8.12.6) with ESMTP id g9A19wKt035984 for ; Thu, 10 Oct 2002 03:09:58 +0200 (CEST) (envelope-from paul@devil.tebokkel.com) Received: (from paul@localhost) by devil.tebokkel.com (8.12.6/8.12.6/Submit) id g9A19vR2035977 for questions@freebsd.org; Thu, 10 Oct 2002 03:09:57 +0200 (CEST) (envelope-from paul) Date: Thu, 10 Oct 2002 03:09:57 +0200 From: Paul te Bokkel To: questions@freebsd.org Subject: Re: Setup routing entry for host with a non-local IP address] Message-ID: <20021010010957.GB4639@tebokkel.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Forgot to group-reply.. --UlVJffcvxoiEqYs2 Content-Type: message/rfc822 Content-Disposition: inline Date: Thu, 10 Oct 2002 03:05:35 +0200 From: Paul te Bokkel To: Matthew Dillon Subject: Re: Setup routing entry for host with a non-local IP address Message-ID: <20021010010535.GA4639@tebokkel.com> References: <20021009151733.GA15162@melusine.cuivre.fr.eu.org> <20021009210242.GA34352@tebokkel.com> <3DA49D72.6070205@potentialtech.com> <200210092201.g99M1YTA007964@apollo.backplane.com> <20021010001956.GA58085@tebokkel.com> <200210100032.g9A0W3lI023123@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200210100032.g9A0W3lI023123@apollo.backplane.com> User-Agent: Mutt/1.4i On Wed, Oct 09, 2002 at 05:32:03PM -0700, Matthew Dillon wrote: > > :> fxp0: flags=8843 mtu 1500 > :> inet 216.240.41.17 netmask 0xffffffc0 broadcast 216.240.41.63 > :> inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 > :> inet 216.240.41.21 netmask 0xffffffff broadcast 216.240.41.21 > : > :That's what I said.. However, I would never use the above setup if > :it's supposed to be secure. Anyone with access to a machine in the > :41.1-41.62 range would be able to sniff the 10-net, which would not > :like. (maybe your setup allows for this, but I wouldn't mind the cost > :of a $6 el-cheapo NIC and a crosscable to get more secure, it's even > :cheaper than the time spend typing this mail ;-) ). > > Uhh. I don't see how this can possibly make things more secure. If > the machine needs to be on both nets and someone breaks root on it, > having a second NIC isn't going to save you. Physical access to any hub or socket on the same segment, as is quite possible in many office-setups or with many different local users managing there own servers. > :But in the case of two physical interfaces on the same (physical) > :segment, you get ARP errors. With aliases, you don't. > : > :Regards, > : > :Paul > > ARP errors? Only if you try to configure the same IP address on > the two interfaces. > > xl0: flags=3D8843 mtu 1500 > > options=3D3 > > inet 200.x.x.72 netmask 0xffffffc0 broadcast 200.x.x.127 > > inet 200.x.x.90 netmask 0xffffffc0 broadcast 200.x.x.127 > > inet 200.x.x.91 netmask 0xffffffc0 broadcast 200.x.x.127 > > ether 00:10:4b:c5:2e:1c > > media: Ethernet autoselect (100baseTX ) > > > > xl1: flags=3D8843 mtu 1500 > > inet 200.y.y.132 netmask 0xfffffc0 broadcast 200.y.y.191 > > ether 00:60:97:dd:f0:b8 > > media: Ethernet autoselect (10baseT/UTP ) > > > > arp: 200.y.y.130 is on xl1 but got reply from 00:b0:64:08:36:60 on xl0 > > arp: 200.x.x.72 is on lo0 but got reply from 00:10:4b:c5:2e:1c on xl1 > > > > What's the problem ?? > > > It means just that: and arp reply for some address in the 200.y.y.0 > subnet > (xl1 subnet) arrived on xl1 and vice-versa. > > Are both NICs connected to the same physical LAN, by chance? (copied from questions, not my answer, but still also my experience when installing my home-firewall, having both NIC's temporarily connected to the same switch, bypassing the firewall) > -Matt > Matthew Dillon > Regards, Paul --UlVJffcvxoiEqYs2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message