Date: Wed, 3 Jan 2001 11:04:35 +0100 From: "Weert de G.H. Gert" <gert.de.weert@travelunie.nl> To: <cjclark@alum.mit.edu> Cc: <freebsd-questions@freebsd.org> Subject: Re: Arp messages, probably nothing to worry about... Message-ID: <005001c0756c$9377e5c0$04470096@C01076> References: <003301c0755c$1d3f42a0$04470096@C01076> <20010103013334.C95729@rfx-64-6-211-149.users.reflexco>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Crist J. Clark" <cjclark@reflexnet.net> To: "Weert de G.H. Gert" <gert.de.weert@travelunie.nl> Cc: <freebsd-questions@FreeBSD.ORG> Sent: Wednesday, January 03, 2001 10:33 AM Subject: Re: Arp messages, probably nothing to worry about... > On Wed, Jan 03, 2001 at 09:06:45AM +0100, Weert de G.H. Gert wrote: > > > > Can anyone explain to me what causes these messages? > > > > ep0 is connected to a lan, ep1 is my connection to @home. > > Most of the time this happens when someone plugs two NICs into one > collision domain. It does not look like you have done this. Good. > > Ouch, some ugly linewrapping happened somewhere Sorry, just using Outlook... > > ; ------------------------------ > > Dec 28 11:46:49 obelix /kernel: arp: unknown hardware address format > > (0x0800) > > Harmless. Someone is sending out ARP messages FreeBSD does not > understand, but it does not need to. Ok, I will ignore these messages from now on. > > Dec 28 13:31:12 obelix /kernel: arp: 192.168.1.3 is on ep0 but got > > reply from 00 > > :10:5a:dc:21:cb on ep1 > > Since the MAC address is different from the one off of ep0 and also > different from the next one, my best guess is some other luzer on > your LAN has plugged his "private" network into a hub along with the > connection to his cable modem. His "private" network is part of the > public LAN. Ok. But I have a couple of firewallrules to block this. At least I thought it is. # Stop RFC1918 nets on the outside interface /sbin/ipfw add 200 deny all from 192.168.0.0/16 to any in via ep1 /sbin/ipfw add 210 deny all from 172.16.0.0/12 to any in via ep1 /sbin/ipfw add 220 deny all from 10.0.0.0/8 to any in via ep1 # > > Dec 28 13:31:12 obelix /kernel: arp: 192.168.1.3 is on ep0 but got > > reply from 00 > > :00:c5:76:db:1e on ep1 > > Oy. Looks like you have more than one winner out there with a > misconfigured home LAN. > > > Dec 28 13:59:22 obelix /kernel: arp: 192.168.1.1 is on lo0 but got > > reply from 00 > > :10:5a:dc:21:cb on ep1 > > Dec 28 13:59:22 obelix /kernel: arp: 192.168.1.1 is on lo0 but got > > reply from 00 > > :00:c5:76:db:1e on ep1 > > That looks scary with those lo0's out there. These are the same two > MACs that we see above... Hmmm... Something else strange might be > going on. > > > Dec 28 15:18:23 obelix /kernel: arp: unknown hardware address format > > (0x0800) > > > > ; ------------------------------ > > [root@obelix] /var/log # arp -a > > obelix.wnw.org (192.168.1.1) at 0:50:4:1a:ab:a0 permanent [ethernet] > > asterix.wnw.org (192.168.1.2) at (incomplete) [ethernet] > > idefix.wnw.org (192.168.1.3) at 0:60:8c:df:c5:2 [ethernet] > > ? (192.168.1.255) at ff:ff:ff:ff:ff:ff permanent [ethernet] > > ? (213.51.104.1) at 0:50:f:a9:a0:1c [ethernet] > > And this MAC is different from the two above. Looks like your cable > modem is acting like a real bridge. What kind is it? It's a (standard) com21 cable modem. > > ; ------------------------------ > > [root@obelix] /var/log # ifconfig -a > > ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > > ether 00:50:04:1a:ab:a0 > > media: 10baseT/UTP > > supported media: 10baseT/UTP > > ep1: flags=c843<UP,BROADCAST,RUNNING,SIMPLEX,LINK2,MULTICAST> mtu 1500 > > inet 213.51.104.92 netmask 0xfffff800 broadcast 213.51.111.255 > > ether 00:60:08:d4:12:9d > > media: 10baseT/UTP > > supported media: 10base2/BNC 10baseT/UTP > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > > inet 127.0.0.1 netmask 0xff000000 > > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > > > > > ; ------------------------------ > > [root@obelix] /var/log # netstat -r > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire > > default 213.51.104.1 UGSc 46 1943506 ep1 > > localhost localhost UH 1 55422 lo0 > > 192.168.1 link#1 UC 0 0 ep0 > > => > > obelix 0:50:4:1a:ab:a0 UHLW 1 130527 lo0 > > asterix link#1 UHLW 1 1925292 ep0 > > => > > idefix 0:60:8c:df:c5:2 UHLW 1 966 ep0 > > 218 > > 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 3 10133 ep0 > > 213.51.104/21 link#2 UC 0 0 ep1 > > => > > 213.51.104.1 0:50:f:a9:a0:1c UHLW 46 0 ep1 > > 1199 > > Everything else seems to look OK. Ignore the unknown address > formats. As for the other issues, there is the potential for that to > make trouble, but it most likely those messages will be the worst > effect. If it is someone leaking the RFC1918 addresses onto the LAN, > you can try to get them to stop or try to get the ISP to do something, > but that will probably take considerable effort. It would probably be > easier to just pick up your 192.168.1.0/24 net and move it to a less > used block, 192.168.31.0, 192.168.214.0, etc. if that is the problem. Ok, that's a option I will use if nothing else helps. > -- > Crist J. Clark cjclark@alum.mit.edu Thanks Gert de Weert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005001c0756c$9377e5c0$04470096>