From owner-freebsd-questions@FreeBSD.ORG Mon Mar 17 09:29:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DB9F106564A for ; Mon, 17 Mar 2008 09:29:05 +0000 (UTC) (envelope-from modulok@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.187]) by mx1.freebsd.org (Postfix) with ESMTP id 00ADF8FC1E for ; Mon, 17 Mar 2008 09:29:04 +0000 (UTC) (envelope-from modulok@gmail.com) Received: by rv-out-0910.google.com with SMTP id g13so3471037rvb.43 for ; Mon, 17 Mar 2008 02:29:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Lkt0W3bTp70W6hhxHuXlzxgBQkedZG2Fxd1GJCG146k=; b=R++J8wT+CfYpZ1BF4T/3/eqUikLoGD8XWLuxGBUD+i5UeszjRUyMdp0OIaUaAVf4ZhnD3yVx3xkKSUf4Wn7N+U7ZLoB69QC+w2xZuYKdg1mkoEGermy60vihIAbwUpVmlfkhjLJXtpDmYJrVXihEwv0qu9YifiFtDQ66THyFAWI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lCUtnGVsq7ab3SENxYgwMATkm6A+wHZbAMWIF/r01UORfnEFY6Bg9CYo0/sgsC12FNnZ7XgJS9rTPSO3P9O+m3NDnzAARFpINM6182Wk3oDZI/+6FxEJ8OFGiHn9Fx65jTKBDxIW728nO8mr1XfdouJjFHODVGSFSi72oDowq2s= Received: by 10.141.114.21 with SMTP id r21mr7381726rvm.154.1205746144220; Mon, 17 Mar 2008 02:29:04 -0700 (PDT) Received: by 10.70.70.2 with HTTP; Mon, 17 Mar 2008 02:29:04 -0700 (PDT) Message-ID: <64c038660803170229u22644782kc53ad049c081d364@mail.gmail.com> Date: Mon, 17 Mar 2008 03:29:04 -0600 From: Modulok To: "Brent Jones" In-Reply-To: <31AE442CCBC1094ABC40CE85B0149F06523974@MAIL1.registry.otago.ac.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64c038660803162036x661ae5fbgdf2d00f0dcc7d163@mail.gmail.com> <31AE442CCBC1094ABC40CE85B0149F06523974@MAIL1.registry.otago.ac.nz> Cc: freebsd-questions@freebsd.org Subject: Re: ARP(4) spoofing? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 09:29:05 -0000 > > Would this be ARP(4) spoofing, or is it just me? How would I > > confirm it? > > > > arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 > > This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) > > is LAN facing and permanent entry in the arp cache. This happens > > constantly and is slowly filling my log files. > What does an "ifconfig -a" on your machine show? It looks like you've > configured your loopback interface to also have 192.168.1.1 [-]Modulok> ifconfig -au inet em0: flags=8843 mtu 1500 options=b inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 em1: flags=8843 mtu 1500 options=b inet 66.x.x.x netmask 0xffffff80 broadcast 66.x.x.255 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 Just for fun, the entry in the arp cache: [-]Modulok> arp -an | grep 192.168.1.1 ? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet] Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:) "Physical connections exist to the same logical IP network on both if0 and if1." Doubtful: LAN---em0[FreeBSD]em1---modem---Internet "an entry already exists in the ARP cache ... and the cable has been disconnected from if0, then reconnected to if1." Nope. "This message can only be issued if the sysctl net.link.ether.inet.log_arp_wrong_iface is set to 1" While I could set the relevant sysctl variable to prevent it from being logged, (which I'll probably end up doing) when strange things happen, I usually like to know about them. Disable the dynamic ARP cache on the external interface and make permanent entries to the ISP's gateway and DNS servers? Perhaps. However, in the event they ever change hardware (and fail to spoof their previous ethernet address), I'd have to manually edit the ARP cache...at 3:00am...on a Sunday. Plus these ARP replies, while annoying, are not really harming anything as FreeBSD's ARP appears to prevent address takeover via gratuitous, un-solicited, impersonating ARP replies. Come to think of it, that might be it. I haven't looked into whether or not these are replies triggered by requests from the local host (If only I knew a way to do such a thing.) Logic initially rejects the notion. As why would this box be sending out a gratuitous ARP request every 10 minutes through the wrong interface for the given address? Strange place, this Interweb. -Modulok-