I have a machine which is configured with two ethernet interfaces: eth0 has a 10.* address, and talks to an internal network which uses 10.* addresses. eth1 has a public internet address, and has direct ethernet-level connectivity to the outside world (friendly and non-friendly hosts). The machine runs kernel 2.2.12 with most of the networking options enabled except those that give away security for performance. Every few weeks I observe bogus entries in my IP routing cache, directing traffic to one of my internal IP addresses, which should always go via eth0, to eth1. My firewall rules set by ipchains shoot down this traffic on sight, so I don't lose any security, but it makes the internal machines inaccessible. I have all of the policy routing options enabled in my 2.2.12 kernel, which means every routing table cache entry has a source address and TOS bits in the key in addition to destination IP address. The problem always occurs with exactly one route cache entry, so routing will work properly for e.g. NFS packets but not SSH, or vice versa, because the use different TOS bits and with policy routing that means they get different cache entries. Of course it's also keyed by machine, so if I simply ssh to another internal machine and then ssh to the gateway machine, I can get around the bogus routing table entries. 'ip route flush cache' invariably solves the problem, but IMHO it shouldn't be happening in the first place. Could some sort of ARP cache poisioning be happening? I know that the network attached to eth1 uses some 10.* addresses, but AFAIK they don't use _my_ 10.* addresses, and I've never been able to catch what confuses the machine with tcpdump (there are months between occurrences of the problem--the earliest kernel to exhibit the problem was 2.2.8). Will Linux update the route cache if it sees an ARP reply on eth1 (generated by another host) for one of the internal addresses on eth0? -- I don't speak for Corel, I just work for them. Use [EMAIL PROTECTED] for work, [EMAIL PROTECTED] for play, and [EMAIL PROTECTED] for PGP. PGP fingerprint: 01 94 0F B3 46 B7 71 C3 D4 98 39 99 1B 34 45 A1 PGP public key: http://www.hungrycats.org/~zblaxell/pgp-public.txt - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to [EMAIL PROTECTED]
