modulok at gmail.com
Mon Mar 17 09:29:05 UTC 2008
> > Would this be ARP(4) spoofing, or is it just me? How would I
> > confirm it?
> > arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1
> > This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0)
> > is LAN facing and permanent entry in the arp cache. This happens
> > constantly and is slowly filling my log files.
> What does an "ifconfig -a" on your machine show? It looks like you've
> configured your loopback interface to also have 192.168.1.1
[-]Modulok> ifconfig -au inet
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 66.x.x.x netmask 0xffffff80 broadcast 66.x.x.255
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
Just for fun, the entry in the arp cache:
[-]Modulok> arp -an | grep 192.168.1.1
? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet]
Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:)
"Physical connections exist to the same logical IP network on both if0 and
"an entry already exists in the ARP cache ... and the cable has been
disconnected from if0, then reconnected to if1."
"This message can only be issued if the sysctl
net.link.ether.inet.log_arp_wrong_iface is set to 1"
While I could set the relevant sysctl variable to prevent it from
being logged, (which I'll probably end up doing) when strange things
happen, I usually like to know about them.
Disable the dynamic ARP cache on the external interface and make
permanent entries to the ISP's gateway and DNS servers? Perhaps.
However, in the event they ever change hardware (and fail to spoof
their previous ethernet address), I'd have to manually edit the ARP
cache...at 3:00am...on a Sunday. Plus these ARP replies, while
annoying, are not really harming anything as FreeBSD's ARP appears to
prevent address takeover via gratuitous, un-solicited, impersonating
Come to think of it, that might be it. I haven't looked into whether
or not these are replies triggered by requests from the local host (If
only I knew a way to do such a thing.) Logic initially rejects the
notion. As why would this box be sending out a gratuitous ARP request
every 10 minutes through the wrong interface for the given address?
Strange place, this Interweb.
More information about the freebsd-questions