Annoying arp messages won't go away!! ( from
freebsd-net@freebsd.org )
Paiva, Gilson de
g-paiva at el.com.br
Mon May 19 09:12:08 PDT 2003
Hi everybody,
Sorry to cross-post from freebsd-net...
I was running a freebsd machine bridging packets on 2 interfaces and
acting as my internet router without any problem.
Last week I had to change my IP allocation and, due ipfw2 improvements
on layer2, I decided not to route packets through this machine anymore,
but have a 3 nics bridge, then the annoying "/kernel: -- loop (x)
xxarpxx to nicx from nicy (active)" is here :) .
The moving arps are from the internet router - attached directly to ep0
- and a ras attached to xl0 . Freebsd keeps telling me the message with
this 2 arps moving between its 3 nics.
I understanding the arp and bridge basics very well and I think this
problem has something to do with this 2 equipaments "scanning" my
network with "arp who-has" ( detected with tcpdump ).
I even "locked" all my 128 ips arps with arp -s and arp -s pub options
but nothing changed. I tryied even to stop messages with
net.link.ether.inet.log_arp_wrong_iface=0 , again no success. No
google, no man pages, nothing I could do...
Running 4.8-stable cvsuped and made world kernel at 15 this month,
ipfw2, 3 nics with bridge on them.
Did anyone have anything like this or do know any tip?
I tried to make it simple, but I understand it's not that easy to mentally
draw it.
internet_router
|
|
ep0
freebsd rl0 -- wireless network
xl0
|
|
clients, servers and ras
before: bridge with xl0 and rl0. This box had an ip used as gateway for
internal clients.
now: bridge on all nics. Servers and clients have their ip gateway pointed
to internet_router. IP network is fine. This box has an ip so I can
administer it.
ifconfig -a
Where's status: active from xl0 and ep0 ? Both are up and running fine...
( thanks rmkml at wanadoo.fr )
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 200.179.xxx.xxx netmask 0xffffff80 broadcast 200.179.xxx.xxx ether
00:60:97:70:12:ec
media: Ethernet 10baseT/UTP (10baseT/UTP <half-duplex>)
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:40:c7:78:06:45
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ep0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:60:08:2b:bc:29
media: Ethernet 10baseT/UTP
I flushed all ipfw rules and loaded no custom sysctl value, problem
remains the same.A piece of my sysctl.conf, network entries:
net.inet.icmp.log_redirect=0
net.inet.ip.fastforwarding=1
net.inet.ip.forwarding=1
net.inet.ip.fw.enable=1
net.inet.ip.fw.one_pass=0
net.inet.ip.stealth=1
net.inet.tcp.blackhole=2
net.inet.tcp.keepidle=9000
net.inet.tcp.recvspace=65536
net.inet.tcp.sendspace=65536
net.inet.udp.blackhole=1
net.link.ether.bridge=1
net.link.ether.bridge_cfg=xl0,rl0,ep0
net.link.ether.bridge_ipfw=1
net.link.ether.inet.log_arp_wrong_iface=0
net.link.ether.ipfw=1
kernel conf ?
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
options IPFW2
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPDIVERT #divert sockets
options IPSTEALTH #support for stealth forwarding
options MROUTING #Multicast routing
options DUMMYNET
options HZ=1000 # strongly recommended
options RANDOM_IP_ID
options BRIDGE
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/
IPSEC)
options IPSEC_DEBUG #debug for IP security
options ICMP_BANDLIM #Rate limit bad replies
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Paiva, Gilson de Domingos Martins
mailto:npd at el.com.br Brazil
http://www.el.com.br/ E&L Producoes de Software
http://www.FreeBSD.org/ FreeBSD: The Power to Serve
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
------------------------------------------------------------------------------
Aviso Legal:
Esta mensagem pode nao expressar oficialmente as ideias ou vontades da empresa
E&L Producoes de Software, sendo responsavel por esta exclusivamente seu autor.
More information about the freebsd-ipfw
mailing list