That 10.0.whatever crap is from your modem. When I had a box running on
cable, I'd see a horrific amount of that crap in my logs. It never
caused my firewall to stop working mind you. Mine, for instance was
10.0.80.31 - which, it appears, was my modem's "IP address" although I
do not recall seeing it in traceroutes (this was several years ago, so
don't take my word for it - best thing to do is to check your traceroute
to say... yahoo.com and see what comes up as first gateway). Why this
is so? I can't answer that. My present adsl modem has a fixed IP,
specifically to telnet to in the event I want to use it as a router - I
haven't logged the interface because I know firewall tun0, but I'd bet
I'd see a lot of junk on the NIC interface acting as the pppoe transport
if I'd log it...
Are you assigned a static IP or is it dhcp? I used to get an arp msg
and stuff when someone was mistakenly typing my IP as his static IP, a
typo caused both of us to share the IP - except that obviously didn't
work out quite nicely. I was being assigned the IP via DHCP - and their
dhcp server kept giving me xx.yy.ab.ab and the guy's static IP was
xx.yy.ab.ba... u can see where he made his typo
Just something to think about...
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:owner-freebsd-
> [EMAIL PROTECTED]] On Behalf Of Kevin D. Kinsey, DaleCo, S.P.
> Sent: November 27, 2002 4:07 PM
> To: Mark; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: ARP flood = Firewall locks up???
>
> From: "Mark" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: ARP flood = Firewall locks up???
>
>
> > Hi!
> >
> > Not being a terribly monstrous expert with FreeBSD firewalls, I
> was
> > quite relieved when I managed to get my FreeBSD 4.3 machine up and
> > running with a "simple" firewall and NAT for my subnet to my local
> cable
> > modem provider.
> >
> > The firewall configuration was, indeed, the pure 'simple', with
> a
> > couple of extra rules to allow DNS (udp to and from 53).
> >
> > Now, the problem is, about three weeks ago, I started seeing a
> FLOOD
> > of ARP messages on xl0, my interface to the internet over the cable
> > modem. They are mostly of the nature:
> >
> <snip>
>
> > Questions:
> >
> > 1. Any ideas what this ARP flood is? Is it some tool the ISP is
> > using or something?
> >
> Looks like common DNS traffic, up to a point. It is quite a bit,
> I suppose, since your log excerpt is just a few seconds worth.
>
> Is this a firewall log we're looking at, or a tcpdump? If you use
> 'tcpdump' on the WAN if, you're getting your neighbors packets
> also, right? You mention not being able to get more info....check
> most of the
> files in /var/log...anything showing up on the console, or it that
> directed to a text log.....?
>
> What services are you running on your own subnet...I don't
> find a DNS server there....
>
> I wonder about the 10.x.x.x addy....something wrong
> in someone's config, perhaps<?>...
>
> > 2. Any idea what's up with the firewall? Why would it be
> locking
> > up? I must confess to being a bit of a firewall newbie, so i'm not
> 100%
> > sure how to go about getting it to give me more information,
> logging,
> > etc ... I might just upgrade to 4.7 and see what happens, but I'd
> > rather understand this first ....
> >
> I'm newb also, but are we sure it's just the firewall? If you're
> rebooting to fix the problem, you're resetting more than just
> the FW.....
>
>
> > Any suggestions would be appreciated...
> >
> > Thanks,
> > mark.
>
> That's about all I've done, suggested...
>
> G'luck, Kevin Kinsey
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
