From owner-freebsd-questions@FreeBSD.ORG Sat Mar 11 11:45:25 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E71316A41F for ; Sat, 11 Mar 2006 11:45:25 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0FB043D49 for ; Sat, 11 Mar 2006 11:45:24 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.16.2.1] (unknown [172.16.2.1]) by strange.daemonsecurity.com (Postfix) with ESMTP id 81E262E041; Sat, 11 Mar 2006 12:45:30 +0100 (CET) Message-ID: <4412B84E.9000902@locolomo.org> Date: Sat, 11 Mar 2006 12:45:18 +0100 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= Organization: Locolomo.ORG User-Agent: Thunderbird 1.5 (X11/20060221) MIME-Version: 1.0 To: Pietro Cerutti References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd Subject: Re: Arplookup strange messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 11:45:25 -0000 Pietro Cerutti wrote: > Hi list, > today in the daily security report (periodic) of a i386 machine there > is this message repeated about 30 times: > +arplookup 0.0.0.0 failed: host is not on local network From rfc 3330: 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]. I think in packet filter you can specify 0/32 and it will automatically be replaced by the ip on the relevant interface, this is useful when you have nics configured with dhcp. However, not all programs support this and will instead try to make an arplookup which is bound to fail. So first question is, what program causes this arplookup? - Do you in your firewall rules specify 0/32? - Do you have correctly set antispoofing? If your firewall does not drop packets from 0/8 then it may try to send a response to the invalid ip. - Do you have dhcp configured somewhere for some host? IIRC dhcp requests are sent with source 0/32 to destination 255.255.255.255/0 (rfc 2131). Your firewall may (it shouldn't, but check anyway) incorrectly try to route it if you don't have the antispoofing setup. If dhcp configuration fails, sometimes the interface gets assigned the address 0/32 unless some fallback have been configured. This could be a client on your network that is misconfigured. > The machine is the router (ipnat) and firewall (ipfilter) for a small > home network. > It runs postfix, sshd and nfsd. My guess is to take a look at your firewall rules and check if there are any misbehaving dhcp clients. > Since I'm away from home now, I can't sit in front of it and check > what's wrong. Furthermore, it seams that the machine is not accepting > ssh logins anymore, after those strange messages. Well, then you have a problem correcting this - maybe someone can reboot the machine for you? Hope this helps, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2