From owner-freebsd-net@FreeBSD.ORG Wed Aug 10 14:19:18 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEC4616A41F for ; Wed, 10 Aug 2005 14:19:18 +0000 (GMT) (envelope-from cjeker@diehard.n-r-g.com) Received: from diehard.n-r-g.com (diehard.n-r-g.com [62.48.3.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3273D43D48 for ; Wed, 10 Aug 2005 14:19:18 +0000 (GMT) (envelope-from cjeker@diehard.n-r-g.com) Received: (qmail 29738 invoked by uid 1001); 10 Aug 2005 14:19:38 -0000 Date: Wed, 10 Aug 2005 16:19:16 +0200 From: Claudio Jeker To: freebsd-net@freebsd.org Message-ID: <20050810141938.GF31018@diehard.n-r-g.com> Mail-Followup-To: Claudio Jeker , freebsd-net@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.8i Subject: Re: Stranges with ARP X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 14:19:19 -0000 On Wed, Aug 10, 2005 at 05:07:27PM +0400, Steve Langdon wrote: > Hello all. > > Help me to solve a strange conduct. > I want to have permanent bundle with IP->MAC for users in our network to > have some security. So, once my user's MAC doesn't appear in my ARP > table, I have to block by ``arp -S ..' his IP with MAC generated by my > script with prefix d1:fa:28. > > One day I have a phone talk with my user, he make complaints against slow speed in Internet. When I have checked his IP I feel a terrible :) > > tcpdump: listening on rl0 > 18:48:11.339543 213.238.62.65.80 > 192.168.57.90.1072: . 2091947455:2091948915(1460) ack 140637902 win 7441 (DF) [tos 0x60] > ^C > 561 packets received by filter > 0 packets dropped by kernel > > Traffic comes to that user! > > root@router:~ % arp -a | grep -w 192.168.57.90 > ? (192.168.57.90) at d1:fa:28:ec:87:98 on rl0 permanent [ethernet] > root@router:~ % > > While user is blocked by _our_ generated MAC! Btw, could anyone advice > me how to block user IP block without touching ipfw (I think to use > route + ``-blackhole' to that user that have no his MAC in my ARP > table), any ideas? > > > root@router:~ % arping 192.168.57.90 > ARPING 192.168.57.90 > 60 bytes from 00:00:f0:87:4b:ca (192.168.57.90): index=0 time=2.724 msec > 60 bytes from 00:00:f0:87:4b:ca (192.168.57.90): index=1 time=9.966 msec > ^C > --- 192.168.57.90 statistics --- > 2 packets transmitted, 2 packets received, 0% unanswered > root@router:~ % > > His real MAC is 00:00:f0:87:4b:ca. I can't belave this could be. Whats > wrong? > As I think all traffic must transmit to d1:fa:28:ec:87:98, NOT to > 00:00:f0:87:4b:ca and user's NIC must ignore that packet unless his > interface in PROMISC mode. Or I'm wrong? Come on have a look at the MAC address. d1:fa:28:ec:87:98. Ja ja ja d1. Remember the multicast bit of 802.11? No, its the LSB of the first octet. So your outgoing pings are actually multicasts. -- :wq Claudio