> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Modulok > Sent: Monday, March 17, 2008 1:29 AM > To: Brent Jones > Cc: freebsd-questions@freebsd.org > Subject: Re: ARP(4) spoofing? > > > > > Would this be ARP(4) spoofing, or is it just me? How would I > > > confirm it? > > > > > > arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 > > > This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) > > > is LAN facing and permanent entry in the arp cache. This happens > > > constantly and is slowly filling my log files. > > > What does an "ifconfig -a" on your machine show? It looks like you've > > configured your loopback interface to also have 192.168.1.1 > > [-]Modulok> ifconfig -au inet > em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=b<RXCSUM,TXCSUM,VLAN_MTU> > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=b<RXCSUM,TXCSUM,VLAN_MTU> > inet 66.x.x.x netmask 0xffffff80 broadcast 66.x.x.255 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > Just for fun, the entry in the arp cache: > > [-]Modulok> arp -an | grep 192.168.1.1 > ? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet] > > Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:) > "Physical connections exist to the same logical IP network on both if0 and > if1." > > Doubtful: LAN---em0[FreeBSD]em1---modem---Internet > > "an entry already exists in the ARP cache ... and the cable has been > disconnected from if0, then reconnected to if1." > > Nope. > > "This message can only be issued if the sysctl > net.link.ether.inet.log_arp_wrong_iface is set to 1" > > While I could set the relevant sysctl variable to prevent it from > being logged, (which I'll probably end up doing) when strange things > happen, I usually like to know about them. > > Disable the dynamic ARP cache on the external interface and make > permanent entries to the ISP's gateway and DNS servers? Perhaps. > However, in the event they ever change hardware (and fail to spoof > their previous ethernet address), I'd have to manually edit the ARP > cache...at 3:00am...on a Sunday. Plus these ARP replies, while > annoying, are not really harming anything as FreeBSD's ARP appears to > prevent address takeover via gratuitous, un-solicited, impersonating > ARP replies. > > Come to think of it, that might be it. I haven't looked into whether > or not these are replies triggered by requests from the local host (If > only I knew a way to do such a thing.) Logic initially rejects the > notion. As why would this box be sending out a gratuitous ARP request > every 10 minutes through the wrong interface for the given address? >
You should have anti-spoofing firewall entries in any internet router, check your ipfw entries. I suspect the problem has to do with a misconfiguration of your nat, frankly. The error message itself: arp: X.X.X.X is on lo0 is nonsensical, because by definition the loopback (lo0) is not connected to any network. Under correct configuration, a loopback cannot receive an arp. The internal loopback address is exactly equivalent to a physical ethernet interface that has a loopback plug inserted into it. I suspect your nat config is overloading on the looback rather than on the physical interface. Ted _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"