I plugged a mac mini into my home network, and arpwatch went nuts, logging this over and over.. Jun 16 18:16:11 firewall arpwatch: bogon 169.254.149.175 0:50:da:6a:34:3 Jun 16 18:16:11 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:17:f2:53:d3:dc Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:17:f2:53:d3:dc Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:50:da:6a:34:3 Jun 16 18:16:11 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc Jun 16 18:16:12 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc It should probably ignore the 169.254.x.x zeroconf addresses, not sure about the 0.0.0.0 ones.
That sounds like IPv4LL as part of Bonjour. How long did this persist?
until I gave it an entry in my dhcpd.conf and restarted dhcpd.
actually, I was mistaken. I restarted arpwatch, and powered it back up. The flood resumed. It does it even if it has a valid IP address, which seems a bit crazy.
Bogons from 169.254/16 can be avoided by adding -n 169.254/16 to /etc/sysconfig/arpwatch. I'm not sure we want this enabled by default, an administrator might want to know about it. Bogons from 0.0.0.0 can be avoided only by using -N (completely disabling bogons reporting). arpwatch could be fixed to allow -n 0/32, would that be enough?
I'm not sure we should do anything. Technically, 0.0.0.0 _is_ a bogon, so we'd want to know about it. I blame apple.
arpwatch-2.1a15-6.fc8 allows to use -n 0/32 which will disable reporting bogons from 0.0.0.0.