Bug 244606 - apple mac mini floods arpwatch
Summary: apple mac mini floods arpwatch
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: arpwatch   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-18 02:35 UTC by Dave Jones
Modified: 2015-01-04 22:29 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-09 13:04:46 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Dave Jones 2007-06-18 02:35:30 UTC
I plugged a mac mini into my home network, and arpwatch went nuts, logging this
over and over..

Jun 16 18:16:11 firewall arpwatch: bogon 169.254.149.175 0:50:da:6a:34:3
Jun 16 18:16:11 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc
Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:17:f2:53:d3:dc
Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:17:f2:53:d3:dc
Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:50:da:6a:34:3
Jun 16 18:16:11 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc
Jun 16 18:16:12 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc

It should probably ignore the 169.254.x.x zeroconf addresses, not sure about the
0.0.0.0 ones.

Comment 1 Ignacio Vazquez-Abrams 2007-06-18 02:41:54 UTC
That sounds like IPv4LL as part of Bonjour. How long did this persist?

Comment 2 Dave Jones 2007-06-18 22:41:17 UTC
until I gave it an entry in my dhcpd.conf and restarted dhcpd.


Comment 3 Dave Jones 2007-06-19 17:48:02 UTC
actually, I was mistaken.  I restarted arpwatch, and powered it back up.
The flood resumed.  It does it even if it has a valid IP address, which seems a
bit crazy.

Comment 4 Miroslav Lichvar 2007-06-20 11:45:41 UTC
Bogons from 169.254/16 can be avoided by adding -n 169.254/16 to
/etc/sysconfig/arpwatch. I'm not sure we want this enabled by default, an
administrator might want to know about it.

Bogons from 0.0.0.0 can be avoided only by using -N (completely disabling bogons
reporting). arpwatch could be fixed to allow -n 0/32, would that be enough?

Comment 5 Dave Jones 2007-06-20 23:28:03 UTC
I'm not sure we should do anything.  Technically, 0.0.0.0 _is_ a bogon, so we'd
want to know about it.

I blame apple.

Comment 6 Miroslav Lichvar 2007-08-09 13:04:46 UTC
arpwatch-2.1a15-6.fc8 allows to use -n 0/32 which will disable reporting bogons
from 0.0.0.0.


Note You need to log in before you can comment on or make changes to this bug.