On Apr 20, 2006, at 7:50 PM, Kevin Kinsey wrote:

jekillen wrote:

I have a question about a disconcerting event relayed to me from my kernel.
there are eight entries regarding network interface status:
rl0 link changed to DOWN
"            "           "  UP
"           "            "  DOWN
"          "             "  UP
sis0 promiscuous mode enabled
"        "                          disabled
"         "                         enabled
"         "                         disabled
The disconcerting entries are re sis0 promiscuous mode enabled.
Is the kernel trying to eaves drop on someone?

Not without assistance, most likely ;-).

One link is to the inside network and the other is to static ip address
that is assigned but as yet has not been configured on the router to
receive requests from outside.
I admit, I am learning at this point. I've been watching the router security log and have seen just in the last week (as long as it has had the static ip's assigned)
several hundred broadcast amplification attempts blocked.
And I have been reading my root mail and am now interested in a tutorial or
some published specifics about how to interpret these messages.
I'm running v6 release on AMD64. I'm setting up to host a web site.
thanks in advance.
PS in the mean time I will be going through what I have already.

Generally, "promiscuous mode" is pretty much what you
have guessed ... used in network analysis.  Software such
as bpf(4), and higher level apps such as netgraph, tcpdump,
ethereal, etc. use "promiscuous mode" to grab network traffic.
So, the first thing you ask yourself is, have I (or anyone allowed
to be "root") used any of this type of software?

There might be other explanations, but I'm not suitably
prepared to address them.

Kevin Kinsey

There are 2 factors that bear directly on this situation:
I am the only one who uses these machines on the inside network.
I have not been able to get into the web site from out side (so I presume no one else can either) For this reason it appears that the kernel may be doing security audits based on, possibly, suspicious events. But sis0 is the inside network interface. If I read the time correctly, I.E. 03 being 3 o'clock in the morning, this machine is the only one beside the router and a n.a.s device that are running. And this is the first time in the eight weeks total that this machine has been operational, that I have seen this message. Could the phone co be 'phishing' around? (SBC). Anyhow that's why I questioned the phone co's $250 installation charge, I told them I know how to set up the network and DNS stuff and was concerned about the possibility of a technician putting a root kit on my system. As it turned out, I had to let him install their router because he couldn't get mine to work (Zoom xv5) I have a Mac OSX machine that has been assigned one of the initial static ip's. It also has 2 interfaces the inside interface connects to the same network the web server is on. But I don't leave the Mac on continuously. When the technician set up the router it was using DCHP to assign the ip. I noticed it change the host name as reflected in the bash shell command line prompt. So as to their scruples I can only hope that there isn't some proprietary gadget running on the router that sniffs around on remote provocation. This might serve as a heads up to anyone with a similar situation.
The idle mind knows not what it is it wants.
                -- Quintus Ennius

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to