[lug] Arp bug in 2.4.20-30 kernels?
D. Stimits
stimits at comcast.net
Tue Feb 15 14:06:59 MST 2005
...
> Has anyone ever heard of a bug reported against the 2.4 kernels in which
> they respond positively to an arp but don't show the IP address
> configured?
Not a bug, but I'm thinking this is similar to an intentional address
spoof. A long time ago I had what "looked" like outbound scanning
traffic, which showed up on the linux bridge/firewall, but not on the
machine that it claimed was sending (and this was before MAC information
was available in IP Tables without patching). I ended up unplugging the
machine...guess what? The "outbound" stuff was still happening. Closer
investigation with packet sniffing revealed that it was falsified and
was NOT originating on the inside of the network. ARP was being
manipulated somewhere...don't ask me how I don't know. It only appeared
to be coming from inside due to firewall reporting rules.
>
> If the router forwards to an interface via its MAC address, will the
> kernel refuse to accept the packets if the MAC address is right but it
> doesn't believe that it owns the associated IP address?
2.6 kernels now contain the ability to be configured for MAC address
filtering. You could specify firewall rules by MAC (assuming the MAC is
the local MAC or the hop that it is able to see). Don't know if this
helps you or not.
Also related to spoofing is the rp_filter option. In /etc/sysctl.conf
you'd add:
net.ipv4.conf.default.rp_filter = 1
(or echo 1 to proper /proc/ file to test...cat the right rp_filter file
in /proc/sys/net/ipv4/ to verify what it is now).
My guess is that if there is an error somewhere else all rp_filter will
do is block the traffic and not actually fix anything. If MAC addresses
are messing up due to a problem then turning off your switch and turning
it back on after waiting a short time might fix it (it sounds like the
switch isn't behaving nicely). I've seen a number of switches that after
changing NIC's around or IP's they fail to update without power cycling
(if it isnt a switch under your control it's a problem).
D. Stimits, stimits AT comcast DOT net
More information about the LUG
mailing list