DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd February 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Thanked 0 Times in 0 Posts
Default problem on my end or someone leaking dhcp?

Im on university network IP´s from range 91.X.X.X. I started having below message couple hours ago. dc0 is external and xl0 is my LAN (192.168.0.0/24)

Code:
Feb 23 12:55:21 bsdkone kernel: arp: 192.168.0.1 is on lo0 but got reply from 00:21:91:72:14:64 on dc0
Feb 23 12:55:36 bsdkone last message repeated 5 times
Feb 23 12:58:09 bsdkone last message repeated 16 times
Feb 23 12:59:26 bsdkone last message repeated 12 times
Feb 23 13:00:31 bsdkone kernel: dc0: promiscuous mode enabled
Feb 23 13:00:52 bsdkone kernel: arp: 192.168.0.1 is on lo0 but got reply from 00:21:91:72:14:64 on dc0
Feb 23 13:01:07 bsdkone last message repeated 5 times
Feb 23 13:01:46 bsdkone kernel: dc0: promiscuous mode disabled
Feb 23 13:01:55 bsdkone kernel: arp: 192.168.0.1 is on lo0 but got reply from 00:21:91:72:14:64 on dc0
Feb 23 13:02:04 bsdkone kernel: arp: 192.168.0.1 is on lo0 but got reply from 00:21:91:72:14:64 on dc0
So is this doing harm on me, is this somehow my fault (doubt it, because this started just hours ago, and i have been running this for months without problems) or someone leaking something to this network. How can i prevent this. Changin my LAN subnet maybe? or can i block this with PF?
Reply With Quote
  #2   (View Single Post)  
Old 23rd February 2009
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

192.168.0/24 is private IP space. It seems most likely to me that this is a misconfiguration.

Did you assign 192.168.0.1 to your lo0? Please post the output of % ifconfig

Note that .1 on a /24 subnet is often the default router.
__________________
Kill your t.v.
Reply With Quote
  #3   (View Single Post)  
Old 24th February 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Thanked 0 Times in 0 Posts
Default

Code:
bfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:e0:18:bf:57:68
        inet 84.249.135.xxx netmask 0xfffff000 broadcast 84.249.143.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:0e:2e:2d:aa:a1
        inet 94.237.82.xxx netmask 0xfffffc00 broadcast 94.237.83.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        ether 00:50:04:af:97:b0
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet 100baseTX <full-duplex>
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
It has stopped now thou, i wondered myself that lo0 (192.168.0.1) too. Maybe it was someone´s LAN IP leaking or something...
Reply With Quote
  #4   (View Single Post)  
Old 24th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

This MAC address, 00:21:91:72:14:64, is external to your system, and was in the ARP messages you were receiving. Your routing table might tell you the offending IP address. ($ netstat -rnf inet)
Reply With Quote
  #5   (View Single Post)  
Old 24th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

Woops. Forgot about the arp(8) command.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DHCP Cable Connection Fail fmgil OpenBSD General 4 1st September 2009 05:18 PM
W2K DHCP Issue DrJ Other OS 4 25th May 2009 07:19 PM
obtain 2 ips via dhcp dextro FreeBSD General 2 6th February 2009 04:56 AM
Obtaining multiple IPs from ISP via DHCP dextro General software and network 15 9th January 2009 02:36 AM
DHCP Server WeakSauceIII OpenBSD General 1 25th September 2008 03:34 AM


All times are GMT. The time now is 02:16 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick