arpwatch and arp packets ...urgent
Hello,
I have serious problems with arp packets in my networks.
not one network, not from today, but this is important for me - now.
I am receiving flip-flops from (?) each machine in my LAN (SNATed),
I have turned on proxy_arp (public IPs in LAN also present)
Situation is like : each computer send me ARP packet one time with
correct MAC and second time with ... MAC of serwer interface :(
# tcpdump -ntvi eth0 arp
arp who-has 192.168.1.1 tell 192.168.1.64
arp reply 192.168.1.1 is-at 0:a:5e:4:f4:15
arp who-has 192.168.1.6 tell 192.168.1.210
arp who-has 192.168.0.43 tell 192.168.1.144
arp who-has 192.168.0.20 tell 192.168.1.144
arp reply 192.168.0.20 is-at 0:a:5e:4:f4:15
arp reply 192.168.0.43 is-at 0:a:5e:4:f4:15
arp who-has 192.168.1.1 tell 192.168.1.64
arp reply 192.168.1.1 is-at 0:a:5e:4:f4:15
arp who-has 192.168.0.43 tell 192.168.1.144
arp reply 192.168.1.144 is-at 0:c:6e:4:f4:33
/etc/arpwatch.conf contain:
eth0 -a -p -m root@localhost
I have got hundreds of mails from arpwatch with
changed_ethernet_address and flip_flop raports ....
please help me.
I am working with grsecurity, normaly LAN machines have 192.168....
adress, and some machines (by proxy_arp) have normal public addreses.
There is no anyone who spoofing this addreses, because this is going
on each servers, even without LAN users.
--
Regards,
Marcin.
Ps. I am reading group mails regulary so you can send mail onto group
debian-security@lists.debian.org
I was talking on another group, googled, read mans.. no results. I am
not beginner in linux but I can't solve this :(
kernel 2.4.24, grsecurity patched, rpfilter=on, proxyarp=on, I think -
strange firewalling.
Reply to: