Re: 2 NIC and arpwatch

To: Leonardo Boselli <leo@dicea.unifi.it>
Cc: debian-firewall@lists.debian.org
Subject: Re: 2 NIC and arpwatch
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Fri, 12 Sep 2003 23:35:11 +0200
Message-id: <[🔎] 20030912213511.GA6554@lina.inka.de>
In-reply-to: <[🔎] 3F624985.23313.581F24@localhost>
References: <[🔎] 3F624985.23313.581F24@localhost>

On Fri, Sep 12, 2003 at 10:32:37PM +0200, Leonardo Boselli wrote:
> Technically both nics are on the same physical [switched] network.
> the problem: another machine running arpwatch show me every 10 
> minutes the address 172.25.1.2 as flipping between the two nics ...
> (while the routing works fine !).
> Does someone have an idea on what is happeeninmg and how to fix it ?

The kernel is answering requests for it's local ip addresses on both
interfaces. This means, that it is using 2 different MACs for two differen
IPs, which is detected by arpwatch.

What you can do is turn off ip-forwarding (of possible) and/or configure the
kernel not to answer on the "wrong" interface. The simples way to achiev
this is to filter incoming ARP request packets with iptables (based on
interface name and requested address). 

There are also arp filter and silent arp patches out there.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to:

Follow-Ups:
- Re: 2 NIC and arpwatch
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>

References:
- 2 NIC and arpwatch
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>

Prev by Date: 2 NIC and arpwatch
Next by Date: Re: hi
Previous by thread: 2 NIC and arpwatch
Next by thread: Re: 2 NIC and arpwatch
Index(es):
- Date
- Thread