From owner-freebsd-questions@FreeBSD.ORG Sat Mar 11 17:51:25 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 235F516A41F for ; Sat, 11 Mar 2006 17:51:25 +0000 (GMT) (envelope-from pietro.cerutti@gmail.com) Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E12C43D55 for ; Sat, 11 Mar 2006 17:51:24 +0000 (GMT) (envelope-from pietro.cerutti@gmail.com) Received: by nproxy.gmail.com with SMTP id x30so695725nfb for ; Sat, 11 Mar 2006 09:51:23 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sRezK7LrtbBTo9mLfm5bv+cA31sSzrqpkPNWDYEbra+b4+rmeSImX3iN+P6MWMaOotD6TeoyIALNPT5h5OeEE3kGMQelaEEHCICUUxGMOhgf80c24SA8gnh7bPcYXj/vfv6bOMUbpRNZzRmVJt8ImjQ65XJiR9DJqLcJ2uu28LU= Received: by 10.48.214.3 with SMTP id m3mr7961nfg; Sat, 11 Mar 2006 09:51:23 -0800 (PST) Received: by 10.49.30.6 with HTTP; Sat, 11 Mar 2006 09:51:22 -0800 (PST) Message-ID: Date: Sat, 11 Mar 2006 18:51:22 +0100 From: "Pietro Cerutti" To: "=?ISO-8859-1?Q?Erik_N=F8rgaard?=" In-Reply-To: <4412B84E.9000902@locolomo.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4412B84E.9000902@locolomo.org> Cc: freebsd Subject: [SOLVED] Re: Arplookup strange messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 17:51:25 -0000 Hi Erik and List, yesterday my calbe modem went down for a while due to a problem on the line= . This also is the reason why I couldn't connect to the machine ;-) My external interface (rl0) recieves the IP address from the cable modem via DHCP, and when the line is down the modem assigns a private IP to the machine. In /var/log/messages, the logs of the new DHCP lease are followed from the ones of arplookup: Mar 10 15:19:24 gahr dhclient: New IP Address (rl0): 192.168.100.10 Mar 10 15:19:24 gahr dhclient: New Subnet Mask (rl0): 255.255.255.0 Mar 10 15:19:24 gahr dhclient: New Broadcast Address (rl0): 192.168.100.255 Mar 10 15:19:24 gahr dhclient: New Routers (rl0): 192.168.100.1 Mar 10 15:19:53 gahr kernel: arplookup 0.0.0.0 failed: host is not on local network Mar 10 15:20:24 gahr kernel: arplookup 0.0.0.0 failed: host is not on local network So the problem only raises when the cable modem is down, and when line failures happen, the arplookup messages really aren't the things I worry about.. Thank you! Best Regards, On 3/11/06, Erik N=F8rgaard wrote: > Pietro Cerutti wrote: > > Hi list, > > today in the daily security report (periodic) of a i386 machine there > > is this message repeated about 30 times: > > +arplookup 0.0.0.0 failed: host is not on local network > > From rfc 3330: > > 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" > network. Address 0.0.0.0/32 may be used as a source address for this > host on this network; other addresses within 0.0.0.0/8 may be used to > refer to specified hosts on this network [RFC1700, page 4]. > > I think in packet filter you can specify 0/32 and it will automatically > be replaced by the ip on the relevant interface, this is useful when you > have nics configured with dhcp. > > However, not all programs support this and will instead try to make an > arplookup which is bound to fail. > > So first question is, what program causes this arplookup? > > - Do you in your firewall rules specify 0/32? > > - Do you have correctly set antispoofing? > > If your firewall does not drop packets from 0/8 then it may try to send > a response to the invalid ip. > > - Do you have dhcp configured somewhere for some host? > > IIRC dhcp requests are sent with source 0/32 to destination > 255.255.255.255/0 (rfc 2131). Your firewall may (it shouldn't, but check > anyway) incorrectly try to route it if you don't have the antispoofing > setup. If dhcp configuration fails, sometimes the interface gets > assigned the address 0/32 unless some fallback have been configured. > > This could be a client on your network that is misconfigured. > > > The machine is the router (ipnat) and firewall (ipfilter) for a small > > home network. > > It runs postfix, sshd and nfsd. > > My guess is to take a look at your firewall rules and check if there are > any misbehaving dhcp clients. > > > Since I'm away from home now, I can't sit in front of it and check > > what's wrong. Furthermore, it seams that the machine is not accepting > > ssh logins anymore, after those strange messages. > > Well, then you have a problem correcting this - maybe someone can reboot > the machine for you? > > Hope this helps, Erik > > -- > Ph: +34.666334818 web: http://www.locolomo.org > S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt > Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 > Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 > -- Pietro Cerutti Non lasciar calpestare i TUOI diritti! Don't let 'em take YOUR rights! NO al Trusted Computing! Say NO to Trusted Computing! www.no1984.org www.againsttcpa.com