From owner-freebsd-security Thu Jul 18 14:15:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A9CC37B400 for ; Thu, 18 Jul 2002 14:15:34 -0700 (PDT) Received: from micko.boca.verio.net (r00.nat.boca.verio.net [208.55.254.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57AF443E31 for ; Thu, 18 Jul 2002 14:15:33 -0700 (PDT) (envelope-from micko@micko.boca.verio.net) Received: (from micko@localhost) by micko.boca.verio.net (8.11.6/8.11.6) id g6ILP7u40257; Thu, 18 Jul 2002 17:25:07 -0400 (EDT) (envelope-from micko) Date: Thu, 18 Jul 2002 17:25:07 -0400 From: Dragan Mickovic To: "Z. Frazier" Cc: faSty , Craig Miller , freebsd-security@freebsd.org Subject: Re: wierdness in my security report Message-ID: <20020718172507.A40165@verio.net> References: <20020718204203.GA71330@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from zfrazier@u.washington.edu on Thu, Jul 18, 2002 at 01:52:51PM -0700 X-Operating-System: FreeBSD micko.boca.verio.net 4.5-STABLE FreeBSD 4.5-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As somebody previosly stated on this list, this is normal for HSRP. 12.236.220.1 is a virtual IP and has 2 or more switch's in the background. So anytime the primary goes down (reset, overload, load balancing, error), the HSRP will switch to the backup line and there for the MAC address will change. I don't know how they have it configured, but if the primary comes back to normal operation and has a higher prioraty than the secondary switch the RP will go back to using the primary switch and there for will change the MAC address again. dragan On Thu, Jul 18, 2002 at 01:52:51PM -0700, Z. Frazier wrote: > > I dont have my logs in front of me, but i remember getting something > similar when my ATT cable connection goes down. > > You are right that they disagree over who gets the IP address, the owner > will switch everytime the ATT network goes down and comes back up. > > I am however basing most of this on what a freind told me about my similar > logs. > > The good news is that you can parse your logs for such events and get > reimbursed for the time your network was down. > > > -zach > > On Thu, 18 Jul 2002, faSty wrote: > > > DO you have bridge on your server? > > > > I have that same similar and the bridge 2 ethernet port fight over who master the > > primary IP address. > > > > -fasty > > > > On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller wrote: > > > Anyone have any ideas as to what might be causing the following to appear in my security report? > > > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > > > > > > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. > > > > > > Thanks, > > > > > > --Craig > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dragan Mickovic UNIX Systems Administrator NTT/Verio x.4012 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message