Hi Erik and List, yesterday my calbe modem went down for a while due to a problem on the line. This also is the reason why I couldn't connect to the machine ;-)
My external interface (rl0) recieves the IP address from the cable modem via DHCP, and when the line is down the modem assigns a private IP to the machine. In /var/log/messages, the logs of the new DHCP lease are followed from the ones of arplookup: Mar 10 15:19:24 gahr dhclient: New IP Address (rl0): 192.168.100.10 Mar 10 15:19:24 gahr dhclient: New Subnet Mask (rl0): 255.255.255.0 Mar 10 15:19:24 gahr dhclient: New Broadcast Address (rl0): 192.168.100.255 Mar 10 15:19:24 gahr dhclient: New Routers (rl0): 192.168.100.1 Mar 10 15:19:53 gahr kernel: arplookup 0.0.0.0 failed: host is not on local network Mar 10 15:20:24 gahr kernel: arplookup 0.0.0.0 failed: host is not on local network So the problem only raises when the cable modem is down, and when line failures happen, the arplookup messages really aren't the things I worry about.. Thank you! Best Regards, On 3/11/06, Erik Nørgaard <[EMAIL PROTECTED]> wrote: > Pietro Cerutti wrote: > > Hi list, > > today in the daily security report (periodic) of a i386 machine there > > is this message repeated about 30 times: > > +arplookup 0.0.0.0 failed: host is not on local network > > From rfc 3330: > > 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" > network. Address 0.0.0.0/32 may be used as a source address for this > host on this network; other addresses within 0.0.0.0/8 may be used to > refer to specified hosts on this network [RFC1700, page 4]. > > I think in packet filter you can specify 0/32 and it will automatically > be replaced by the ip on the relevant interface, this is useful when you > have nics configured with dhcp. > > However, not all programs support this and will instead try to make an > arplookup which is bound to fail. > > So first question is, what program causes this arplookup? > > - Do you in your firewall rules specify 0/32? > > - Do you have correctly set antispoofing? > > If your firewall does not drop packets from 0/8 then it may try to send > a response to the invalid ip. > > - Do you have dhcp configured somewhere for some host? > > IIRC dhcp requests are sent with source 0/32 to destination > 255.255.255.255/0 (rfc 2131). Your firewall may (it shouldn't, but check > anyway) incorrectly try to route it if you don't have the antispoofing > setup. If dhcp configuration fails, sometimes the interface gets > assigned the address 0/32 unless some fallback have been configured. > > This could be a client on your network that is misconfigured. > > > The machine is the router (ipnat) and firewall (ipfilter) for a small > > home network. > > It runs postfix, sshd and nfsd. > > My guess is to take a look at your firewall rules and check if there are > any misbehaving dhcp clients. > > > Since I'm away from home now, I can't sit in front of it and check > > what's wrong. Furthermore, it seams that the machine is not accepting > > ssh logins anymore, after those strange messages. > > Well, then you have a problem correcting this - maybe someone can reboot > the machine for you? > > Hope this helps, Erik > > -- > Ph: +34.666334818 web: http://www.locolomo.org > S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt > Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 > Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 > -- Pietro Cerutti <[EMAIL PROTECTED]> Non lasciar calpestare i TUOI diritti! Don't let 'em take YOUR rights! NO al Trusted Computing! Say NO to Trusted Computing! www.no1984.org www.againsttcpa.com _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"