Date: Sat, 11 Mar 2006 18:51:22 +0100 From: "Pietro Cerutti" <pietro.cerutti@gmail.com> To: "=?ISO-8859-1?Q?Erik_N=F8rgaard?=" <norgaard@locolomo.org> Cc: freebsd <freebsd-questions@freebsd.org> Subject: [SOLVED] Re: Arplookup strange messages Message-ID: <e572718c0603110951o7de39a51k81b289a96a8a3218@mail.gmail.com> In-Reply-To: <4412B84E.9000902@locolomo.org> References: <e572718c0603110303y69d33c67l4b683cbcf26f5061@mail.gmail.com> <4412B84E.9000902@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Erik and List, yesterday my calbe modem went down for a while due to a problem on the line= . This also is the reason why I couldn't connect to the machine ;-) My external interface (rl0) recieves the IP address from the cable modem via DHCP, and when the line is down the modem assigns a private IP to the machine. In /var/log/messages, the logs of the new DHCP lease are followed from the ones of arplookup: Mar 10 15:19:24 gahr dhclient: New IP Address (rl0): 192.168.100.10 Mar 10 15:19:24 gahr dhclient: New Subnet Mask (rl0): 255.255.255.0 Mar 10 15:19:24 gahr dhclient: New Broadcast Address (rl0): 192.168.100.255 Mar 10 15:19:24 gahr dhclient: New Routers (rl0): 192.168.100.1 Mar 10 15:19:53 gahr kernel: arplookup 0.0.0.0 failed: host is not on local network Mar 10 15:20:24 gahr kernel: arplookup 0.0.0.0 failed: host is not on local network So the problem only raises when the cable modem is down, and when line failures happen, the arplookup messages really aren't the things I worry about.. Thank you! Best Regards, On 3/11/06, Erik N=F8rgaard <norgaard@locolomo.org> wrote: > Pietro Cerutti wrote: > > Hi list, > > today in the daily security report (periodic) of a i386 machine there > > is this message repeated about 30 times: > > +arplookup 0.0.0.0 failed: host is not on local network > > From rfc 3330: > > 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" > network. Address 0.0.0.0/32 may be used as a source address for this > host on this network; other addresses within 0.0.0.0/8 may be used to > refer to specified hosts on this network [RFC1700, page 4]. > > I think in packet filter you can specify 0/32 and it will automatically > be replaced by the ip on the relevant interface, this is useful when you > have nics configured with dhcp. > > However, not all programs support this and will instead try to make an > arplookup which is bound to fail. > > So first question is, what program causes this arplookup? > > - Do you in your firewall rules specify 0/32? > > - Do you have correctly set antispoofing? > > If your firewall does not drop packets from 0/8 then it may try to send > a response to the invalid ip. > > - Do you have dhcp configured somewhere for some host? > > IIRC dhcp requests are sent with source 0/32 to destination > 255.255.255.255/0 (rfc 2131). Your firewall may (it shouldn't, but check > anyway) incorrectly try to route it if you don't have the antispoofing > setup. If dhcp configuration fails, sometimes the interface gets > assigned the address 0/32 unless some fallback have been configured. > > This could be a client on your network that is misconfigured. > > > The machine is the router (ipnat) and firewall (ipfilter) for a small > > home network. > > It runs postfix, sshd and nfsd. > > My guess is to take a look at your firewall rules and check if there are > any misbehaving dhcp clients. > > > Since I'm away from home now, I can't sit in front of it and check > > what's wrong. Furthermore, it seams that the machine is not accepting > > ssh logins anymore, after those strange messages. > > Well, then you have a problem correcting this - maybe someone can reboot > the machine for you? > > Hope this helps, Erik > > -- > Ph: +34.666334818 web: http://www.locolomo.org > S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt > Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 > Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 > -- Pietro Cerutti <pietro.cerutti@gmail.com> Non lasciar calpestare i TUOI diritti! Don't let 'em take YOUR rights! NO al Trusted Computing! Say NO to Trusted Computing! www.no1984.org www.againsttcpa.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e572718c0603110951o7de39a51k81b289a96a8a3218>