From owner-freebsd-security Thu Jul 18 13: 4: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AF8937B400 for ; Thu, 18 Jul 2002 13:04:01 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFD6543E58 for ; Thu, 18 Jul 2002 13:03:59 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g6IK47X01052 for ; Thu, 18 Jul 2002 14:04:08 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: freebsd-security@FreeBSD.ORG Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 14:04:07 -0600 Message-Id: <20020718200407.M28012@babayaga.neotext.ca> In-Reply-To: References: <027101c22e86$dc4fae20$95e2910c@fbccarthage.com> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've had something that looked like this. Is it possible that your isp maintains an IP <-> MAC (ethernet) mapping somewhere? What is happening is that 12.236.220.1 is moving from one ethernet address/card to another (and back). I guess their router claims 12.236.220.1 is attached to it, while you also have a ethernet card in the Box 12.236.220.1 that is arping out in complete disagreement. IFF you are using static (unless you have some reason for it ;-) routing you should switch to DHCP and a setup that requests a specific IP. edit this for your /etc/dhclient.conf: #Change this to your ethercards device name interface "ed0" { #Add hostname send host-name "your.host.na"; #Get your ethercard's devicename from ifconfig -a and put it here: send dhcp-client-identifier hh:hh:hh:hh:hh:hh ; send dhcp-lease-time 36000; #Put all forms of your machine's name supersede domain-name "your.host.na www.host.ca host.na"; #IF and onle IF you are running a DNS # prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, time-offset, routers; require subnet-mask, domain-name-servers; script "/sbin/dhclient-script"; media "media 10baseT/UTP"; } This will permit DHCP to negotiate the underprotocols for ethernet mapping (arp >< rarp etc.) so you won't see all that noise in your messages log. Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: "Jim Laurenson" To: "Kevin Kinsey, DaleCo, S.P." , "Craig Miller" , "freebsd-security" Sent: Thu, 18 Jul 2002 12:47:08 -0600 Subject: RE: wierdness in my security report > My setup included multiple machines (2 of them, one > running 4.3 and ht eother running 4.4, both getting > the error listed below) connected through a Docsis > modem. These errors started just after the systems > were built. After one of the systems became redundant > I removed it from the network and the errors > disappeared from the other system. Yet neither of the > systems error messages were mentioning the other, just > the MAC address of the Cisco router on my ISPs side. > > Jim Laurenson > > -----Original Message----- > From: Kevin Kinsey, DaleCo, S.P. > [mailto:kdk@daleco.biz] Sent: July 18, 2002 12:14 PM > To: Jim Laurenson; Craig Miller; freebsd-security > Subject: Re: wierdness in my security report > > Somebody, somewhere, changed something that changed a route > your kernel had established. How many machines in > your LAN? What are the chances one has a new NIC? > > KDK > > ----- Original Message ----- > From: Jim Laurenson > To: Craig Miller ; freebsd-security > Sent: Thursday, July 18, 2002 12:53 PM > Subject: RE: wierdness in my security report > > I have found the same logs on one of my older builds > (4.3 I think). The offending MAC address was found to > be a Cisco router on my ISP's network. I found no > solution for it though. > > Jim Laurenson > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf > Of Craig Miller Sent: July 18, 2002 11:47 AM To: > freebsd-security Subject: wierdness in my security report > > Anyone have any ideas as to what might be causing the > following to appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to > 00:b0:64:b7:6f:a8 on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC > addresses, but they don't match the MAC addresses of > either of the two cards in my free-bsd box. I have > not checked the MAC addresses of the other network > cards on my network. > > Also, where does the "server /kernel" name come from. > "kernel" is not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message